capnproto

rpc.h (29585B)

---

 // Copyright (c) 2013-2014 Sandstorm Development Group, Inc. and contributors
 // Licensed under the MIT License:
 //
 // Permission is hereby granted, free of charge, to any person obtaining a copy
 // of this software and associated documentation files (the "Software"), to deal
 // in the Software without restriction, including without limitation the rights
 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 // copies of the Software, and to permit persons to whom the Software is
 // furnished to do so, subject to the following conditions:
 //
 // The above copyright notice and this permission notice shall be included in
 // all copies or substantial portions of the Software.
 //
 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 // THE SOFTWARE.
 
 #pragma once
 
 #include "capability.h"
 #include "rpc-prelude.h"
 
 CAPNP_BEGIN_HEADER
 
 namespace kj { class AutoCloseFd; }
 
 namespace capnp {
 
 template <typename VatId, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 class VatNetwork;
 template <typename SturdyRefObjectId>
 class SturdyRefRestorer;
 
 template <typename VatId>
 class BootstrapFactory: public _::BootstrapFactoryBase {
   // Interface that constructs per-client bootstrap interfaces. Use this if you want each client
   // who connects to see a different bootstrap interface based on their (authenticated) VatId.
   // This allows an application to bootstrap off of the authentication performed at the VatNetwork
   // level. (Typically VatId is some sort of public key.)
   //
   // This is only useful for multi-party networks. For TwoPartyVatNetwork, there's no reason to
   // use a BootstrapFactory; just specify a single bootstrap capability in this case.
 
 public:
   virtual Capability::Client createFor(typename VatId::Reader clientId) = 0;
   // Create a bootstrap capability appropriate for exposing to the given client. VatNetwork will
   // have authenticated the client VatId before this is called.
 
 private:
   Capability::Client baseCreateFor(AnyStruct::Reader clientId) override;
 };
 
 template <typename VatId>
 class RpcSystem: public _::RpcSystemBase {
   // Represents the RPC system, which is the portal to objects available on the network.
   //
   // The RPC implementation sits on top of an implementation of `VatNetwork`.  The `VatNetwork`
   // determines how to form connections between vats -- specifically, two-way, private, reliable,
   // sequenced datagram connections.  The RPC implementation determines how to use such connections
   // to manage object references and make method calls.
   //
   // See `makeRpcServer()` and `makeRpcClient()` below for convenient syntax for setting up an
   // `RpcSystem` given a `VatNetwork`.
   //
   // See `ez-rpc.h` for an even simpler interface for setting up RPC in a typical two-party
   // client/server scenario.
 
 public:
   template <typename ProvisionId, typename RecipientId,
             typename ThirdPartyCapId, typename JoinResult>
   RpcSystem(
       VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
       kj::Maybe<Capability::Client> bootstrapInterface);
 
   template <typename ProvisionId, typename RecipientId,
             typename ThirdPartyCapId, typename JoinResult>
   RpcSystem(
       VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
       BootstrapFactory<VatId>& bootstrapFactory);
 
   template <typename ProvisionId, typename RecipientId,
             typename ThirdPartyCapId, typename JoinResult,
             typename LocalSturdyRefObjectId>
   RpcSystem(
       VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
       SturdyRefRestorer<LocalSturdyRefObjectId>& restorer);
 
   RpcSystem(RpcSystem&& other) = default;
 
   Capability::Client bootstrap(typename VatId::Reader vatId);
   // Connect to the given vat and return its bootstrap interface.
 
   Capability::Client restore(typename VatId::Reader hostId, AnyPointer::Reader objectId)
       CAPNP_DEPRECATED("Please transition to using a bootstrap interface instead.");
   // ** DEPRECATED **
   //
   // Restores the given SturdyRef from the network and return the capability representing it.
   //
   // `hostId` identifies the host from which to request the ref, in the format specified by the
   // `VatNetwork` in use.  `objectId` is the object ID in whatever format is expected by said host.
   //
   // This method will be removed in a future version of Cap'n Proto. Instead, please transition
   // to using bootstrap(), which is equivalent to calling restore() with a null `objectId`.
   // You may emulate the old concept of object IDs by exporting a bootstrap interface which has
   // methods that can be used to obtain other capabilities by ID.
 
   void setFlowLimit(size_t words);
   // Sets the incoming call flow limit. If more than `words` worth of call messages have not yet
   // received responses, the RpcSystem will not read further messages from the stream. This can be
   // used as a crude way to prevent a resource exhaustion attack (or bug) in which a peer makes an
   // excessive number of simultaneous calls that consume the receiver's RAM.
   //
   // There are some caveats. When over the flow limit, all messages are blocked, including returns.
   // If the outstanding calls are themselves waiting on calls going in the opposite direction, the
   // flow limit may prevent those calls from completing, leading to deadlock. However, a
   // sufficiently high limit should make this unlikely.
   //
   // Note that a call's parameter size counts against the flow limit until the call returns, even
   // if the recipient calls releaseParams() to free the parameter memory early. This is because
   // releaseParams() may simply indicate that the parameters have been forwarded to another
   // machine, but are still in-memory there. For illustration, say that Alice made a call to Bob
   // who forwarded the call to Carol. Bob has imposed a flow limit on Alice. Alice's calls are
   // being forwarded to Carol, so Bob never keeps the parameters in-memory for more than a brief
   // period. However, the flow limit counts all calls that haven't returned, even if Bob has
   // already freed the memory they consumed. You might argue that the right solution here is
   // instead for Carol to impose her own flow limit on Bob. This has a serious problem, though:
   // Bob might be forwarding requests to Carol on behalf of many different parties, not just Alice.
   // If Alice can pump enough data to hit the Bob -> Carol flow limit, then those other parties
   // will be disrupted. Thus, we can only really impose the limit on the Alice -> Bob link, which
   // only affects Alice. We need that one flow limit to limit Alice's impact on the whole system,
   // so it has to count all in-flight calls.
   //
   // In Sandstorm, flow limits are imposed by the supervisor on calls coming out of a grain, in
   // order to prevent a grain from inundating the system with in-flight calls. In practice, the
   // main time this happens is when a grain is pushing a large file download and doesn't implement
   // proper cooperative flow control.
 
   // void setTraceEncoder(kj::Function<kj::String(const kj::Exception&)> func);
   //
   // (Inherited from _::RpcSystemBase)
   //
   // Set a function to call to encode exception stack traces for transmission to remote parties.
   // By default, traces are not transmitted at all. If a callback is provided, then the returned
   // string will be sent with the exception. If the remote end is KJ/C++ based, then this trace
   // text ends up being accessible as kj::Exception::getRemoteTrace().
   //
   // Stack traces can sometimes contain sensitive information, so you should think carefully about
   // what information you are willing to reveal to the remote party.
 
   kj::Promise<void> run() { return RpcSystemBase::run(); }
   // Listens for incoming RPC connections and handles them. Never returns normally, but could throw
   // an exception if the system becomes unable to accept new connections (e.g. because the
   // underlying listen socket becomes broken somehow).
   //
   // For historical reasons, the RpcSystem will actually run itself even if you do not call this.
   // However, if an exception is thrown, the RpcSystem will log the exception to the console and
   // then cease accepting new connections. In this case, your server may be in a broken state, but
   // without restarting. All servers should therefore call run() and handle failures in some way.
 };
 
 template <typename VatId, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcServer(
     VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
     Capability::Client bootstrapInterface);
 // Make an RPC server.  Typical usage (e.g. in a main() function):
 //
 //    MyEventLoop eventLoop;
 //    kj::WaitScope waitScope(eventLoop);
 //    MyNetwork network;
 //    MyMainInterface::Client bootstrap = makeMain();
 //    auto server = makeRpcServer(network, bootstrap);
 //    kj::NEVER_DONE.wait(waitScope);  // run forever
 //
 // See also ez-rpc.h, which has simpler instructions for the common case of a two-party
 // client-server RPC connection.
 
 template <typename VatId, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcServer(
     VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
     BootstrapFactory<VatId>& bootstrapFactory);
 // Make an RPC server that can serve different bootstrap interfaces to different clients via a
 // BootstrapInterface.
 
 template <typename VatId, typename LocalSturdyRefObjectId,
           typename ProvisionId, typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcServer(
     VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
     SturdyRefRestorer<LocalSturdyRefObjectId>& restorer)
     CAPNP_DEPRECATED("Please transition to using a bootstrap interface instead.");
 // ** DEPRECATED **
 //
 // Create an RPC server which exports multiple main interfaces by object ID. The `restorer` object
 // can be used to look up objects by ID.
 //
 // Please transition to exporting only one interface, which is known as the "bootstrap" interface.
 // For backwards-compatibility with old clients, continue to implement SturdyRefRestorer, but
 // return the new bootstrap interface when the request object ID is null. When new clients connect
 // and request the bootstrap interface, they will get that interface. Eventually, once all clients
 // are updated to request only the bootstrap interface, stop implementing SturdyRefRestorer and
 // switch to passing the bootstrap capability itself as the second parameter to `makeRpcServer()`.
 
 template <typename VatId, typename ProvisionId,
           typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcClient(
     VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network);
 // Make an RPC client.  Typical usage (e.g. in a main() function):
 //
 //    MyEventLoop eventLoop;
 //    kj::WaitScope waitScope(eventLoop);
 //    MyNetwork network;
 //    auto client = makeRpcClient(network);
 //    MyCapability::Client cap = client.restore(hostId, objId).castAs<MyCapability>();
 //    auto response = cap.fooRequest().send().wait(waitScope);
 //    handleMyResponse(response);
 //
 // See also ez-rpc.h, which has simpler instructions for the common case of a two-party
 // client-server RPC connection.
 
 template <typename SturdyRefObjectId>
 class SturdyRefRestorer: public _::SturdyRefRestorerBase {
   // ** DEPRECATED **
   //
   // In Cap'n Proto 0.4.x, applications could export multiple main interfaces identified by
   // object IDs. The callback used to map object IDs to objects was `SturdyRefRestorer`, as we
   // imagined this would eventually be used for restoring SturdyRefs as well. In practice, it was
   // never used for real SturdyRefs, only for exporting singleton objects under well-known names.
   //
   // The new preferred strategy is to export only a _single_ such interface, called the
   // "bootstrap interface". That interface can itself have methods for obtaining other objects, of
   // course, but that is up to the app. `SturdyRefRestorer` exists for backwards-compatibility.
   //
   // Hint:  Use SturdyRefRestorer<capnp::Text> to define a server that exports services under
   //   string names.
 
 public:
   virtual Capability::Client restore(typename SturdyRefObjectId::Reader ref) CAPNP_DEPRECATED(
       "Please transition to using bootstrap interfaces instead of SturdyRefRestorer.") = 0;
   // Restore the given object, returning a capability representing it.
 
 private:
   Capability::Client baseRestore(AnyPointer::Reader ref) override final;
 };
 
 // =======================================================================================
 // VatNetwork
 
 class OutgoingRpcMessage {
   // A message to be sent by a `VatNetwork`.
 
 public:
   virtual AnyPointer::Builder getBody() = 0;
   // Get the message body, which the caller may fill in any way it wants.  (The standard RPC
   // implementation initializes it as a Message as defined in rpc.capnp.)
 
   virtual void setFds(kj::Array<int> fds) {}
   // Set the list of file descriptors to send along with this message, if FD passing is supported.
   // An implementation may ignore this.
 
   virtual void send() = 0;
   // Send the message, or at least put it in a queue to be sent later.  Note that the builder
   // returned by `getBody()` remains valid at least until the `OutgoingRpcMessage` is destroyed.
 
   virtual size_t sizeInWords() = 0;
   // Get the total size of the message, for flow control purposes. Although the caller could
   // also call getBody().targetSize(), doing that would walk the message tree, whereas typical
   // implementations can compute the size more cheaply by summing segment sizes.
 };
 
 class IncomingRpcMessage {
   // A message received from a `VatNetwork`.
 
 public:
   virtual AnyPointer::Reader getBody() = 0;
   // Get the message body, to be interpreted by the caller.  (The standard RPC implementation
   // interprets it as a Message as defined in rpc.capnp.)
 
   virtual kj::ArrayPtr<kj::AutoCloseFd> getAttachedFds() { return nullptr; }
   // If the transport supports attached file descriptors and some were attached to this message,
   // returns them. Otherwise returns an empty array. It is intended that the caller will move the
   // FDs out of this table when they are consumed, possibly leaving behind a null slot. Callers
   // should be careful to check if an FD was already consumed by comparing the slot with `nullptr`.
   // (We don't use Maybe here because moving from a Maybe doesn't make it null, so it would only
   // add confusion. Moving from an AutoCloseFd does in fact make it null.)
 
   virtual size_t sizeInWords() = 0;
   // Get the total size of the message, for flow control purposes. Although the caller could
   // also call getBody().targetSize(), doing that would walk the message tree, whereas typical
   // implementations can compute the size more cheaply by summing segment sizes.
 };
 
 class RpcFlowController {
   // Tracks a particular RPC stream in order to implement a flow control algorithm.
 
 public:
   virtual kj::Promise<void> send(kj::Own<OutgoingRpcMessage> message, kj::Promise<void> ack) = 0;
   // Like calling message->send(), but the promise resolves when it's a good time to send the
   // next message.
   //
   // `ack` is a promise that resolves when the message has been acknowledged from the other side.
   // In practice, `message` is typically a `Call` message and `ack` is a `Return`. Note that this
   // means `ack` counts not only time to transmit the message but also time for the remote
   // application to process the message. The flow controller is expected to apply backpressure if
   // the remote application responds slowly. If `ack` rejects, then all outstanding and future
   // sends will propagate the exception.
   //
   // Note that messages sent with this method must still be delivered in the same order as if they
   // had been sent with `message->send()`; they cannot be delayed until later. This is important
   // because the message may introduce state changes in the RPC system that later messages rely on,
   // such as introducing a new Question ID that a later message may reference. Thus, the controller
   // can only create backpressure by having the returned promise resolve slowly.
   //
   // Dropping the returned promise does not cancel the send. Once send() is called, there's no way
   // to stop it.
 
   virtual kj::Promise<void> waitAllAcked() = 0;
   // Wait for all `ack`s previously passed to send() to finish. It is an error to call send() again
   // after this.
 
   // ---------------------------------------------------------------------------
   // Common implementations.
 
   static kj::Own<RpcFlowController> newFixedWindowController(size_t windowSize);
   // Constructs a flow controller that implements a strict fixed window of the given size. In other
   // words, the controller will throttle the stream when the total bytes in-flight exceeds the
   // window.
 
   class WindowGetter {
   public:
     virtual size_t getWindow() = 0;
   };
 
   static kj::Own<RpcFlowController> newVariableWindowController(WindowGetter& getter);
   // Like newFixedWindowController(), but the window size is allowed to vary over time. Useful if
   // you have a technique for estimating one good window size for the connection as a whole but not
   // for individual streams. Keep in mind, though, that in situations where the other end of the
   // connection is merely proxying capabilities from a variety of final destinations across a
   // variety of networks, no single window will be appropriate for all streams.
 
   static constexpr size_t DEFAULT_WINDOW_SIZE = 65536;
   // The window size used by the default implementation of Connection::newStream().
 };
 
 template <typename VatId, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 class VatNetwork: public _::VatNetworkBase {
   // Cap'n Proto RPC operates between vats, where a "vat" is some sort of host of objects.
   // Typically one Cap'n Proto process (in the Unix sense) is one vat.  The RPC system is what
   // allows calls between objects hosted in different vats.
   //
   // The RPC implementation sits on top of an implementation of `VatNetwork`.  The `VatNetwork`
   // determines how to form connections between vats -- specifically, two-way, private, reliable,
   // sequenced datagram connections.  The RPC implementation determines how to use such connections
   // to manage object references and make method calls.
   //
   // The most common implementation of VatNetwork is TwoPartyVatNetwork (rpc-twoparty.h).  Most
   // simple client-server apps will want to use it.  (You may even want to use the EZ RPC
   // interfaces in `ez-rpc.h` and avoid all of this.)
   //
   // TODO(someday):  Provide a standard implementation for the public internet.
 
 public:
   class Connection;
 
   struct ConnectionAndProvisionId {
     // Result of connecting to a vat introduced by another vat.
 
     kj::Own<Connection> connection;
     // Connection to the new vat.
 
     kj::Own<OutgoingRpcMessage> firstMessage;
     // An already-allocated `OutgoingRpcMessage` associated with `connection`.  The RPC system will
     // construct this as an `Accept` message and send it.
 
     Orphan<ProvisionId> provisionId;
     // A `ProvisionId` already allocated inside `firstMessage`, which the RPC system will use to
     // build the `Accept` message.
   };
 
   class Connection: public _::VatNetworkBase::Connection {
     // A two-way RPC connection.
     //
     // This object may represent a connection that doesn't exist yet, but is expected to exist
     // in the future.  In this case, sent messages will automatically be queued and sent once the
     // connection is ready, so that the caller doesn't need to know the difference.
 
   public:
     virtual kj::Own<RpcFlowController> newStream() override
         { return RpcFlowController::newFixedWindowController(65536); }
     // Construct a flow controller for a new stream on this connection. The controller can be
     // passed into OutgoingRpcMessage::sendStreaming().
     //
     // The default implementation returns a dummy stream controller that just applies a fixed
     // window of 64k to everything. This always works but may constrain throughput on networks
     // where the bandwidth-delay product is high, while conversely providing too much buffer when
     // the bandwidth-delay product is low.
     //
     // WARNING: The RPC system may keep the `RpcFlowController` object alive past the lifetime of
     //   the `Connection` itself. However, it will not call `send()` any more after the
     //   `Connection` is destroyed.
     //
     // TODO(perf): We should introduce a flow controller implementation that uses a clock to
     //   measure RTT and bandwidth and dynamically update the window size, like BBR.
 
     // Level 0 features ----------------------------------------------
 
     virtual typename VatId::Reader getPeerVatId() = 0;
     // Returns the connected vat's authenticated VatId. It is the VatNetwork's responsibility to
     // authenticate this, so that the caller can be assured that they are really talking to the
     // identified vat and not an imposter.
 
     virtual kj::Own<OutgoingRpcMessage> newOutgoingMessage(uint firstSegmentWordSize) override = 0;
     // Allocate a new message to be sent on this connection.
     //
     // If `firstSegmentWordSize` is non-zero, it should be treated as a hint suggesting how large
     // to make the first segment.  This is entirely a hint and the connection may adjust it up or
     // down.  If it is zero, the connection should choose the size itself.
     //
     // WARNING: The RPC system may keep the `OutgoingRpcMessage` object alive past the lifetime of
     //   the `Connection` itself. However, it will not call `send()` any more after the
     //   `Connection` is destroyed.
 
     virtual kj::Promise<kj::Maybe<kj::Own<IncomingRpcMessage>>> receiveIncomingMessage() override = 0;
     // Wait for a message to be received and return it.  If the read stream cleanly terminates,
     // return null.  If any other problem occurs, throw an exception.
     //
     // WARNING: The RPC system may keep the `IncomingRpcMessage` object alive past the lifetime of
     //   the `Connection` itself.
 
     virtual kj::Promise<void> shutdown() override KJ_WARN_UNUSED_RESULT = 0;
     // Waits until all outgoing messages have been sent, then shuts down the outgoing stream. The
     // returned promise resolves after shutdown is complete.
 
   private:
     AnyStruct::Reader baseGetPeerVatId() override;
   };
 
   // Level 0 features ------------------------------------------------
 
   virtual kj::Maybe<kj::Own<Connection>> connect(typename VatId::Reader hostId) = 0;
   // Connect to a VatId.  Note that this method immediately returns a `Connection`, even
   // if the network connection has not yet been established.  Messages can be queued to this
   // connection and will be delivered once it is open.  The caller must attempt to read from the
   // connection to verify that it actually succeeded; the read will fail if the connection
   // couldn't be opened.  Some network implementations may actually start sending messages before
   // hearing back from the server at all, to avoid a round trip.
   //
   // Returns nullptr if `hostId` refers to the local host.
 
   virtual kj::Promise<kj::Own<Connection>> accept() = 0;
   // Wait for the next incoming connection and return it.
 
   // Level 4 features ------------------------------------------------
   // TODO(someday)
 
 private:
   kj::Maybe<kj::Own<_::VatNetworkBase::Connection>>
       baseConnect(AnyStruct::Reader hostId) override final;
   kj::Promise<kj::Own<_::VatNetworkBase::Connection>> baseAccept() override final;
 };
 
 // =======================================================================================
 // ***************************************************************************************
 // Inline implementation details start here
 // ***************************************************************************************
 // =======================================================================================
 
 template <typename VatId>
 Capability::Client BootstrapFactory<VatId>::baseCreateFor(AnyStruct::Reader clientId) {
   return createFor(clientId.as<VatId>());
 }
 
 template <typename SturdyRef, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 kj::Maybe<kj::Own<_::VatNetworkBase::Connection>>
     VatNetwork<SturdyRef, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>::
     baseConnect(AnyStruct::Reader ref) {
   auto maybe = connect(ref.as<SturdyRef>());
   return maybe.map([](kj::Own<Connection>& conn) -> kj::Own<_::VatNetworkBase::Connection> {
     return kj::mv(conn);
   });
 }
 
 template <typename SturdyRef, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 kj::Promise<kj::Own<_::VatNetworkBase::Connection>>
     VatNetwork<SturdyRef, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>::baseAccept() {
   return accept().then(
       [](kj::Own<Connection>&& connection) -> kj::Own<_::VatNetworkBase::Connection> {
     return kj::mv(connection);
   });
 }
 
 template <typename SturdyRef, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 AnyStruct::Reader VatNetwork<
     SturdyRef, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>::
     Connection::baseGetPeerVatId() {
   return getPeerVatId();
 }
 
 template <typename SturdyRef>
 Capability::Client SturdyRefRestorer<SturdyRef>::baseRestore(AnyPointer::Reader ref) {
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
   return restore(ref.getAs<SturdyRef>());
 #pragma GCC diagnostic pop
 }
 
 template <typename VatId>
 template <typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId>::RpcSystem(
       VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
       kj::Maybe<Capability::Client> bootstrap)
     : _::RpcSystemBase(network, kj::mv(bootstrap)) {}
 
 template <typename VatId>
 template <typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId>::RpcSystem(
       VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
       BootstrapFactory<VatId>& bootstrapFactory)
     : _::RpcSystemBase(network, bootstrapFactory) {}
 
 template <typename VatId>
 template <typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult,
           typename LocalSturdyRefObjectId>
 RpcSystem<VatId>::RpcSystem(
       VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
       SturdyRefRestorer<LocalSturdyRefObjectId>& restorer)
     : _::RpcSystemBase(network, restorer) {}
 
 template <typename VatId>
 Capability::Client RpcSystem<VatId>::bootstrap(typename VatId::Reader vatId) {
   return baseBootstrap(_::PointerHelpers<VatId>::getInternalReader(vatId));
 }
 
 template <typename VatId>
 Capability::Client RpcSystem<VatId>::restore(
     typename VatId::Reader hostId, AnyPointer::Reader objectId) {
   return baseRestore(_::PointerHelpers<VatId>::getInternalReader(hostId), objectId);
 }
 
 template <typename VatId>
 inline void RpcSystem<VatId>::setFlowLimit(size_t words) {
   baseSetFlowLimit(words);
 }
 
 template <typename VatId, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcServer(
     VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
     Capability::Client bootstrapInterface) {
   return RpcSystem<VatId>(network, kj::mv(bootstrapInterface));
 }
 
 template <typename VatId, typename ProvisionId, typename RecipientId,
           typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcServer(
     VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
     BootstrapFactory<VatId>& bootstrapFactory) {
   return RpcSystem<VatId>(network, bootstrapFactory);
 }
 
 template <typename VatId, typename LocalSturdyRefObjectId,
           typename ProvisionId, typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcServer(
     VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network,
     SturdyRefRestorer<LocalSturdyRefObjectId>& restorer) {
   return RpcSystem<VatId>(network, restorer);
 }
 
 template <typename VatId, typename ProvisionId,
           typename RecipientId, typename ThirdPartyCapId, typename JoinResult>
 RpcSystem<VatId> makeRpcClient(
     VatNetwork<VatId, ProvisionId, RecipientId, ThirdPartyCapId, JoinResult>& network) {
   return RpcSystem<VatId>(network, nullptr);
 }
 
 }  // namespace capnp
 
 CAPNP_END_HEADER