The restriction that calls cannot be initiated from
canister_init is not well motivated, but there are a few use cases where that would be quite useful (e.g. fetching the randomness in the Internet Identity, which currently requires a weird extra method, registering the canister with some other canister, setting up cron calls with a hypothetical cron canister, doing ECDSA stuff once that’s there.)
Therefore I suggest to drop that restriction. The canister is considered started even before the calls have been responded to (to avoid confusion about what state a canister is in before the response comes back). Same for
canister_post_upgrade (but not
ic-ref was open source, or at least the adocs public, I’d include a proposed diff to the spec here. But it’s simple enough.)
I hope this can make it in before or with public access to the heartbeat, as otherwise I expect canister developers will resort to abuse that for initialization, which I’d consider a hack.
Implementation-wise I don’t expect this to yield any surprises.