support changes to governed APIs

[Chris-Hibbert]

closes: #9990

Description

When a contract is upgraded, we'll read the governed APIs afresh.

Security Considerations

Nothing special. The point of governed APIs is that contracts can make access to calling specific APIs legible in the sense used by governance.

Scaling Considerations

Not an issue.

Documentation Considerations

If we had detailed documentation on governance, this would be worth adding to the docs.

Testing Considerations

Added a bootstrap test showing that a contract can be upgraded and the new APIs will be available after upgrade.

Upgrade Considerations

AssetReserve, fluxAggregator, and VaultFactory use apiGovernance and might need this support if any governed APIs were added.

[cloudflare-workers-and-pages]

Deploying agoric-sdk with    Cloudflare Pages

Latest commit:	ffe2dd6
Status:	✅  Deploy successful!
Preview URL:	https://90740884.agoric-sdk.pages.dev
Branch Preview URL:	https://9990-upgradeapis.agoric-sdk.pages.dev

View logs

[dckc]

Yes, I agree we should merge this.

How to validate it on a testnet in an upcoming release is sort of... interesting. It will have no impact until some governed contract gets upgraded. That might be in a later release. At that point, there would be a testing burden to verify that this fix works. But this issue won't be listed in the things we fixed for that later release. Seems like an acceptable risk.

The rest of my comments are sort of thinking out loud. Maybe I should keep them to myself... but I suppose I'll share anyway.

[dckc]

Is it important to use .install(...) rather than .installBundleID(...)?

[Chris-Hibbert]

Nope. They're equally useful AFAICT.

In order to understand, I looked at the docs, and realized they were out of date, so I created Agoric/documentation#1265.

[dckc]

module level mutable state. hm. consider using a promise(kit) in t.context something like t.context.governedContractKit.promise and .resolver

[Chris-Hibbert]

I didn't mind module mutable state in a test. What javascript is missing here is write-once variables, but you're right that promises provide that ability. Done.

[dckc]

I wonder why we're adding governedContract to agoricNames.instance

[Chris-Hibbert]

[I don't have good terminology for this. I welcome cleaner solutions.]

I needed an object with getKref() to pass to governanceDriver.proposeApiCall(). Storing the object in agoricNames, and retrieving it withEV was the only path I found that worked.

If it had been a substantive contract, storing the instance in agoricNames would have been a reasonable thing to do, and it would have had a more plausible name. j

[dckc]

after thinking about this a bit, it's probably OK as is. But I'll leave some breadcrumbs...

can we make it the caller's responsibility to mark it Far? Making the record in one place and marking it Far in another is odd.

One possibility is to make a new record...

Suggested change

	// Far side-effects the object, and can only be applied once
	const farGovernedApis = Far('governedAPIs', governedApis);
	// Far side-effects the object, and can only be applied once
	const farGovernedApis = Far('governedAPIs', { ... governedApis });

[Chris-Hibbert]

One possibility is to make a new record...

Thanks. That's a much better answer.

[dckc]

Is it really the case that the only exception possible is that the facets were not durable? I suppose so... zcfBaggage.get(...) is the only thing in the try.

But if get(...) had a bug, we might lose diagnostic info here. It feels weird to throw away e completely.
log it?

[dckc]

Do we support something like this?

Suggested change

	} catch (e) {
	Fail`restartContract failed: original contract facets were not durable`;
	}
	} catch (e) {
	throw assert.error(`restartContract failed: original contract facets were not durable`, { cause: e });
	}

[Chris-Hibbert]

In what way would that be better?

I think Fail gets us an error, a stack, and messages visible in logs. I don't know what throw assert.error() could add to that. Whatever assert.error() does, I wouldn't expect it to return something that would be useful to throw, but I certainly don't know for sure.

[dckc]

In what way would that be better?

It doesn't throw away the details of e. Note especially { cause: e }

[dckc]

it's a little hard to see the forest for the trees.

Part of me would like the uninteresting stuff moved to a separate file, but then I'd have to jump back and forth.

[Chris-Hibbert]

ack.

[Chris-Hibbert]

Ah, of course.
(rhetorical) Why didn't yarn lint warn me about an unused variable?
I can't easily add that to my pre-check script, since it's just a grep pattern.

[mergify]

This pull request has been removed from the queue for the following reason: checks failed.

The merge conditions cannot be satisfied due to failing checks:

• ❌ integration-test-result
• ☑️ linear-history

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue