No way to `quit` a whole world

[tonyg]

Once spawned, a nested world will not terminate. What would make a good interface to signal that a world should exit? I can think of three options:

• no outbound assertions, plus internal inertness = can never leave that state
• no remaining contained processes = can never do anything
• specific (quit-world) action

The last is likely most practical, but it seems very... abrupt! Perhaps it could be broadened into a shutdown protocol, like that used by operating systems. (This gives us a hook for "suspend-to-disk" later.)

• (quit-world) would be the "force poweroff" low-level command for killing a VM
• there'd be a shutdown manager process responsible for issuing (quit-world) when the time was right
• processes would (assert (shutdown-request <reason>)) to kick off the protocol
• they could retract this which would reset the state and go back to running
• the normal (sub (shutdown-request <reason>)) would observe shutdown requests
• processes would (assert (prevent-shutdown <objection>)) to cause the manager to hold off issuing a (quit-world)
• they would presumably then listen for shutdown-requests and respond by retracting their prevent-shutdowns

Open questions:

• What kind of back-channel from a shutdown-preventer to a shutdown-requester should there be? Perhaps a distinction between temporary prevention and permanent prevention? What does "permanent" mean? (which leads to next Q...)
• Should there be any notion of a shutdown-request instance, or is having one instance of the machine enough?
• Should there be a notion of "exit status"? Probably not, right? (If one were needed, would it be able to be effectively cooked up as normal protocol? We might need (at-meta (spawn ...))...)

[tonyg]

I've added (quit-world) actions, as a stop-gap, but it's definitely not a clean design yet.