feat: upgrade walletFactory to go beyond vbank assets

[dckc]

closes: #8156
refs: #8071

Description / Upgrade Considerations

• proposal builder in the style of agoric run/writeCoreProposal
• docker upgrade test using the game NFT contract from the contract uprgrade PR

Security / Scaling Considerations

none that I can think of

Documentation / Testing Considerations

Once we migrate it from mostly-bash to mostly-js, this should make a good example for...

• How to do end-to-end test of permissioned deployment? #8173

$ cd packages/deployment/upgrade-test
$ make local_sdk build
$ make run

[dckc]

manual testing stuff

start the container with make run_bash and then start the chain:

agoric-upgrade-11# agd start --log_level=warn >>,chain.log 2>&1 &

I think there's an env.sh step in there too.

## agoric run outside the container
$ rm -rf ~/.agoric/cache; agoric run scripts/wfup.js
agoric: run: running /home/connolly/projects/agoric-sdk/packages/smart-wallet/scripts/wfup.js
agoric: run: Deploy script will run with Node.js ESM
bundle-source --to /home/connolly/projects/agoric-sdk/packages/smart-wallet/bundles /home/connolly/projects/agoric-sdk/packages/smart-wallet/src/walletFactory.js walletFactory
(Error#1)
Error#1: out of date: [ { relativePath: '', mtime: '2023-08-04T20:55:49.062Z' } ] . walletFactory bundled at 2023-08-04T20:53:27.269Z

/home/connolly/projects/agoric-sdk/packages/smart-wallet/bundles add: walletFactory from /home/connolly/projects/agoric-sdk/packages/smart-wallet/src/walletFactory.js
/home/connolly/projects/agoric-sdk/packages/smart-wallet/bundles bundled 151 files in bundle-walletFactory.js at 2023-08-04T20:56:02.570Z
creating upgrade-walletFactory-permit.json
creating upgrade-walletFactory.js
You can now run a governance submission command like:
  agd tx gov submit-proposal swingset-core-eval upgrade-walletFactory-permit.json upgrade-walletFactory.js \
    --title="Enable <something>" --description="Evaluate upgrade-walletFactory.js" --deposit=1000000ubld \
    --gas=auto --gas-adjustment=1.2
Remember to install bundles before submitting the proposal:
  agd tx swingset install-bundle @/home/connolly/.agoric/cache/b1-c3005df01654266067b7779d6267037d60f5b995c65a5f8c62b89c4ab42495dfe4ce0914d271399321f6f5575453e56c5e4e8faf791336b9c5177e1d7853c361.json
  agd tx swingset install-bundle @/home/connolly/.agoric/cache/b1-5fad04f7560ba9593321df66f4605cba796a2f03643d98044a0d3e8c3b611deb133d7eea003d06fcbb5b5f898bc0ef82b038a18baa740af64f08925e90ff7bb8.json

## copy results into the /tmp/ directory of the container. $cid comes from `docker ps`
$ for f in ./upgrade-walletFactory* ~/.agoric/cache/b1-* ; do echo $f; docker cp $f $cid:/tmp/; done
./upgrade-walletFactory.js
./upgrade-walletFactory-permit.json
/home/connolly/.agoric/cache/b1-5fad04f7560ba9593321df66f4605cba796a2f03643d98044a0d3e8c3b611deb133d7eea003d06fcbb5b5f898bc0ef82b038a18baa740af64f08925e90ff7bb8.json
/home/connolly/.agoric/cache/b1-c3005df01654266067b7779d6267037d60f5b995c65a5f8c62b89c4ab42495dfe4ce0914d271399321f6f5575453e56c5e4e8faf791336b9c5177e1d7853c361.json

Then, inside the container:

## mint a bunch of IST to pay for publish-bundle txs
agoric-upgrade-11# ./mint-ist.sh

## upload the 2 bundles
agoric-upgrade-11# ./wf-install-bundles.sh

## propose (and enact) the upgrade
agoric-upgrade-11# ./wf-propose.sh

## look at the results
agoric-upgrade-11# less -R ,chain.log

[dckc]

An alternative is to teach agoric run to produce parseable output. This is the 2nd time I didn't opt to do that.

[turadg]

Maybe someday. For testing purposes I think we'd just add a parse-smart version to upgradeHelper.js once that's available

[dckc]

this has got poor-man's-smallcaps-decoding mixed in. The smallcaps-related hacks could at least be moved into the const smallCaps = {...} widget.

[dckc]

btw... @turadg another static typing nit: getCopyBagEntries returns any.

[turadg]

for #7507

[gibson042]

I have a few questions (most relevantly #8147 (comment) ), but the overall approach does work AFAICT.

[gibson042]

What dictates when to use -o json vs. -o jsonlines?

[dckc]

dunno. jsonlines is what I saw everywhere else.

[gibson042]

Was this intentionally left in without some kind of debugging condition?

[dckc]

All over this PR I waffle about how much logging to do. This is one of the reasons I asked to discuss this with you.

[turadg]

since it's test code in a framework that hasn't stabilized and everyone is still learning, I think we should bias towards verbosity

[gibson042]

Suggested change

	echo test_val "$displayInfo" "$expected" "$name displayInfo from boardAux"
	test_val "$displayInfo" "$expected" "$name displayInfo from boardAux"

[dckc]

oops!

[gibson042]

Is anything awaiting results from makeBoardAuxNode via publishBrandInfo? Even if not, it would probably make sense to call E(chainStorage).makeChildNode(BOARD_AUX) only once rather than once for every brand.

[dckc]

I thought I fixed that. Weird.

[gibson042]

This is creating a parallel hierarchy for board-published brands, right? And with a path that is keyed by boardID but lacks an obvious connection to "agoricNames"? Have the right people considered this design and possible alternatives?

[dckc]

Yes, that's what it's doing. Whether it's sufficiently considered is a good question.

Design considerations included:

• ideally, it would be a platform thing, but add (immutable) auxiliary data to Presences? #2069 is an open research problem
• should the mechanism be for things in agoricNames only or for any brand (or any other remotable, for that matter)?
  • we chose: any remotable on the board
• should all the aux data for well-known brands be at one key like agoricNames.vbankAsset or should each brand have a separate key?
  • we chose a separate key

Turadg and I discussed those alternatives and agreed to this one. Sam found it inconvenient to make more than one query but eventually agreed it was better than doing O(n) work for each write.

Figuring out who are the right people is an ongoing challenge, for me. I think bringing in your perspective is useful.

[gibson042]

cc @erights

[erights]

@dckc went over the possible aux data problem with me during recorded office hours today. Since this PR was already otherwise approved and was waiting only on my evaluating of this possible problem, my additional approval here is only approving that there is no such problem here. I have not evaluated the rest of the PR.

Concretely, this is about the canonical concrete example of the problem: That we'd like a presence of a brand to carry the displayInfo. Mapping to the canonical three-party handoff, Carol in VatC is the brand. Alice in VatA sends her presence for Carol to Bob in VatB. VatB, on unmarshalling the message from VatA must form the presence for Carol and deliver it to Bob without waiting for a round trip to VatC. If the brand presence carries the displayInfo at that moment, then VatB would be believing VatA about the displayInfo associated with the brand / Carol, where only VatC should be authoritative about the state of Carol. If VatA lies, then Bob would see the wrong displayInfo.

The entire problem goes away at the cost of a round trip: If the presence itself does not carry the displayInfo, but instead, Bob asks Carol for her displayInfo, then only Carol (and therefore VatC) is taken by Bob as authoritative over Carol's displayInfo. Alice cannot both immediately communicate Carol's identity (by passing a presence) and mislead Bob to believing that identity is associated with a different displayInfo.

The scenario at stake in this PR has none of these hazards. There is no third party less trusted than VatC that can influence the client's notion of what displayInfo is associated with the brand. And the client only obtains the displayInfo after a round trip to querying info that is known only to be updated by those who are legitimately authoritative over that info.

So, if all that makes sense and correctly maps to the question at stake, LGTM. If not, please let me know and we should continue the discussion.

[turadg]

Nice work! Just a couple requests before merging

[turadg]

📝 🙌

[turadg]

question: should we have a global gitignore on -permit.json? if so, should we name them .permit.json to hint that it's a kind of thing?

[dckc]

It is a kind of thing. (There's a static type and could be a pattern). So I'd support renaming all of them together in a separate PR.

[turadg]

#8249, draft until this one lands

[turadg]

please comment what environment provides that source path. Docker? and what wants to override it

[turadg]

remark: probably useful outside upgrade11, but we will refactor in the JS port

[turadg]

remark: will be totally refactored after #8237

[turadg]

nit: shouldn't be necessary.

Suggested change

	// @ts-expect-error chainStorage is only falsy in testing
	// @ts-expect-error UNTIL https://github.com/Agoric/agoric-sdk/issues/8247

[turadg]

consider: inlining the has to the conditional below. This is a valid signal of "upgrading" but we don't need that general signal.

[dckc]

I moved the declaration next to the use.

Fully inlined, it seemed to need a comment. Might as well let the code speak for itself.

[turadg]

TIL

[turadg]

👍

[turadg]

above it says a deep import would accomplish this (importing without all of it). yes or no?

[dckc]

yes.

I think this dates from before I used writeCoreProposal, i.e. when import wouldn't work.