handler could fail to do one of steps to satisfy an offer

[dtribble]

Describe the issue
In the current API, for a given offer to be satisfied, the contract must:

• stage an allocation change for the offer's seat
• do the reallocate
• exit the seat

Having forgotten to add the appropriate exit operation for an offer, these each seem like steps that the contract could miss without warning. For example, the offer might be staged, but the reallocate is in a conditional, and then the offer gets exited. Or staging and reallocation happens, but the offer never gets exited.

Possible solutions

• have a separate operation for decline which is exiting an offer unchanged. At the very least to issue a warning.
• statically analyze whether each offer has a path to completion
• require that stages be consumed in a handler, so that if a seat gets staged but not reallocated (or cancelled) it's a bug.
• require that' seats that will stay open beyond their initial handler have that declared. (e.g., without seat.keepOpen(), an error or warning is issued).

[katelynsills]

We think that we might want to see more usages before working on this.

[katelynsills]

We haven't been able to prevent all of the missing steps in (stage, reallocate, exit), but we have been able to enforce:

1. Exiting a seat will error if a staged allocation exists for the seat (meaning no reallocation occurred)
2. Reallocations will error if not all seats with staged allocations are included.

[erights]

Since we're killing staging (See #3850 and #4327 ), I like the last bullet above best:

• require that seats that will stay open beyond their initial handler have that declared. (e.g., without seat.keepOpen(), an error or warning is issued).

Assigning myself. But I have no immediate plans to do anything about this one.