feat(wallet/api): marshal contexts for wallet, board

[dckc]

refs: #4398
obsoletes #5874

Description

When serializing wallet state for chainStorage, there's a tension between

• keeping purses etc. closely held
• recognizing identity of brands also referenced in the state of contracts such as the AMM

makeMarshal is parameterized by the type of slots. Here we use a disjoint union of

• board ids for widely shared objects
• kind:seq ids for closely held objects; for example purse:123

@samsiegart note that unlike #5874 , this PR doesn't include any changes to lib-wallet.js; I hope you can layer those changes on top of this as a form of review.

This PR includes makeLoggingPresence, which is some advanced work on smart wallet middleware. While the design is still in progress, test coverage of this version is good enough that I'd like to land it.

Security Considerations

As @warner noted, there's a risk that chainStorage data from the AMM could try to refer to a purse using a slots such as purse:123; such a reference must fail.

Documentation Considerations

not much; these are internal APIs.

Testing Considerations

Test coverage is 100%.

agoric-sdk/packages/wallet/api$ yarn c8 ava test/test-wallet-marshal.js test/test-middleware.js
yarn run v1.22.19
$ .../.bin/c8 ava test/test-wallet-marshal.js test/test-middleware.js

  ✔ middleware › makeImportContext in wallet UI can unserialize messages
  ✔ middleware › makeLoggingPresence logs calls on purse/payment actions
  ✔ wallet-marshal › makeImportContext preserves identity across AMM and wallet
  ✔ wallet-marshal › ensureBoardId allows re-registration; initBoardId does not
  ✔ wallet-marshal › makeExportContext.serialize handles unregistered identites
  ─

  5 tests passed
---------------------|---------|----------|---------|---------|-------------------
File                 | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s 
---------------------|---------|----------|---------|---------|-------------------
All files            |     100 |      100 |     100 |     100 |                   
 marshal-contexts.js |     100 |      100 |     100 |     100 |                   
---------------------|---------|----------|---------|---------|-------------------
Done in 0.71s.

[dckc]

good progress:

agoric-sdk/packages/wallet/api$ yarn c8 ava test/test-wallet-marshal.js test/test-middleware.js
yarn run v1.22.19
$ /home/connolly/projects/agoric-sdk/node_modules/.bin/c8 ava test/test-wallet-marshal.js test/test-middleware.js

  ✔ middleware › makeImportContext in wallet UI can unserialize messages
  ✔ middleware › makeLoggingPresence logs calls on purse/payment actions
  ✔ wallet-marshal › makeImportContext preserves identity across AMM and wallet
  ✔ wallet-marshal › ensureBoardId allows re-registration; initBoardId does not
  ✔ wallet-marshal › makeExportContext.serialize handles unregistered identites
  ─

  5 tests passed
---------------------|---------|----------|---------|---------|-------------------
File                 | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s 
---------------------|---------|----------|---------|---------|-------------------
All files            |   99.61 |    97.29 |     100 |   99.61 |                   
 marshal-contexts.js |   99.61 |    97.29 |     100 |   99.61 | 206               
---------------------|---------|----------|---------|---------|-------------------
Done in 0.79s.

[samsiegart]

So you'd like me to do something like b516b66 to integrate this? Can we make a checklist of things to do, like purses, payments, issuers, brands, etc

[samsiegart]

I'm confused about this test case, because ctx I thought would be inside lib-wallet, while the logging presence would be used outside lib-wallet

[dckc]

Good point; I guess I'll think this over some more.

[dckc]

I'd like to come back to this in a later PR.

[turadg]

Looking good.

I don't know how to assess this:

there's a risk that chainStorage data from the AMM could try to refer to a purse using a slots such as purse:123; such a reference must fail.

Can a test be added for that?

[turadg]

bravo on the string template type. non-blocking suggestion to help document how this works,

Suggested change

	* @template T
	* @typedef {`${string & keyof T}:${Digits}`} WalletSlot<T>
	* @template {Record<string, IdTable<*,*>} T
	* @typedef {`${keyof T}:${Digits}`} WalletSlot<T>

[dckc]

I integrated most of that suggestion. Constraining T that way helps not only documentation but also got rid of one or two @ts-expect-errors.

But getting rid of string & doesn't seem to fly.

[turadg]

consider asserting id >= 1 for the digits

[turadg]

for documentation purposes,

Suggested change

	* @template T
	* @template {Record<string, IdTable<*,*>} T

[dckc]

Thanks; I'll give that a try.

Earlier I explored similar things without luck and punted.

[turadg]

well, keyof T | undefined. the jsdoc is right but this comment is loose

[turadg]

I think the above would also simplify this,

Suggested change

	* @param {string & keyof T} kind
	* @param {keyof T} kind

[turadg]

ditto on above suggestions about typing the template

[turadg]

👏

[turadg]

when these don't match, it'll be a string diff. consider comparing the object with JSON.parse(cap2).

If not comparing objects then it should be t.is

[dckc]

The test is supposed to be at the CapData level, where body is a string. Writing the expected body using JSON.stringify() makes it easier to read. I suppose I could add a comment...

Meanwhile, your comment prompts me to think about this a bit more carefully... In the API, slots are compared by identity, so t.deepEqual() is only correct because we happen to be using primitives (strings). In nearby designs, the slots are { kind: 'purse', id: 123} objects where it's really easy to have things that pass t.deepEqual() but not t.is().

[turadg]

dead code

[dckc]

I don't know how to assess this:

there's a risk that chainStorage data from the AMM could try to refer to a purse using a slots such as purse:123; such a reference must fail.

Can a test be added for that?

It's in there:

test('makeImportContext preserves identity across AMM and wallet', t => {
...
  t.throws(
    () => context.fromBoard.unserialize(walletCapData),
    { message: /bad board slot/ },
    'AMM cannot refer to purses',
  );

p.s. "AMM cannot forge references to purses" would be a better phrasing.

[turadg]

Approving now. (No automerge label so you'll be able to try the TS tweak before it merges.)