fix(governance): some governance invitations use proposal patterns

[erights]

Start replacing uses of the deprecated assertProposalShape with makeInvitations direct support for proposalShape patterns. This provides better protection for contracts against malformed offers. When an offer's proposal violates the contract's required proposalShape pattern, it is rejected in Zoe and the contract never even sees the malformed offer.

This PR is somewhat empirical, revising the provided proposal patterns so that they were tighter than the assertProposalPattern call it replaced, while still passing all tests. For each modified contract, it would be good for someone who knows the meaning of the contract to do a sanity check on the proposalShape pattern.

One particular way these patterns could be tighter, to protect the contract from seeing more malformed offers, is to use the amountShape specific to the brand the contract is willing to accept in that position. I skipped that additional work, leaving a TODO there instead. Reviewers, if you know what brand-specific amountShape I should use in any such case, please let me know.

Upgrade considerations

We definitely need to think hard about whether this PR introduces any representation changes that create an upgrade issue. The proposal shapes that we're less worried about were extracted into #8268 , leaving only some governance cases here.

[dckc]

I commented on the ones I know.

[dckc]

I don't think so... but only because I don't see a case where you would want to give both collateral and debt-brand, or want both. Why is that allowed in vaultFactory?

[turadg]

The requirement for VaultFactory AdjustBalances is that you can "give" or "want" without specifying the other.

I don't know either of a good use case for giving the same brands as you're wanting, but there's also not a strong reason to forbid that and allowing it makes the shape simpler to implement the above requirement.

Doesn't the StakeFactory have the same requirement? i.e. that you can specify one and the other is implied by your staked holdings. If so we lack test coverage for that case because this shape isn't throwing.

[Chris-Hibbert]

I can't tell whether this is redundant with what @turadg said, but I want to be explicit:

with VF AdjustBalances, you can give both or want both or give one and want the other. I don't think it ever makes sense to have the same keyword in both give and want.

[dckc]

If so we lack test coverage for that case ...

That's where my mind went too.

I'm not sure I can justify the time to swap in the relevant context for this just now.

[erights]

The goal for this PR is to express with patterns at least the restrictions that were expressed by assertProposalShape and similar, but still be unrestrictive enough to allow everything we should be allowing. So, based on what I think I understood of the above comments, I did revise this pattern to be like the AdjustBalancesProposalShape from VF, that is more accepting.

PTAL and let me know if I misunderstood. Leaving this Conversation unresolved until I hear back.

[erights]

The goal for this PR is to express with patterns at least the restrictions that were expressed by assertProposalShape and similar, but still be unrestrictive enough to allow everything we should be allowing. So, based on what I think I understood of the above comments, I did revise this pattern to be like the AdjustBalancesProposalShape from VF, that is more accepting.

PTAL and let me know if I misunderstood. Leaving this Conversation unresolved until I hear back.

[erights]

Seems annoyingly similar to the zcf.makeInvitation call in stakeFactoryKit function makeCloseInvitation. As a result, the proposalShape used here is annoyingly like the one used there. Can we consolidate both?

Leaving Conversation unresolved until I hear back.

[Chris-Hibbert]

seems like they could be unified. What's the obstacle? The factory has the branded amounts. Can the kit get them from there? Is there an obstacle to the Kit making the branded amounts itself?

[erights]

@Chris-Hibbert I recall we discussed this, but I no longer remember where we landed. Do you?

[Chris-Hibbert]

I don't remember the conversation. Shall we try again?

[datadog-full-agoric]

Datadog Report

Branch report: markm-more-invitation-proposal-patterns
Commit report: 9fb3e17

✅ agoric-sdk: 0 Failed, 0 New Flaky, 3661 Passed, 57 Skipped, 19m 47.42s Wall Time

[datadog-full-agoric]

Datadog Report

Branch report: markm-more-invitation-proposal-patterns
Commit report: dbbd635

❌ agoric-sdk: 1 Failed (0 Known Flaky), 0 New Flaky, 2910 Passed, 29 Skipped, 17m 30.73s Wall Time

❌ Failed Tests (1)

• bootstrapTests › demo-config › sim/demo config provides home with .myAddressNameAdmin - agoric.vats - Details

  Expand for error

   ---
       name: AssertionError
       assertion: deepEqual
       values:
         'Difference (- actual, + expected):': |2-
             [
               'agoricNames',
           -   'bank',
           +   'attMaker',
           -   'behaviors',
   ...
  

[erights]

Reviewers,

Enough has changed that it is worth asking afresh: What's needed for me to move this forward? Because

• this contributes to defensiveness against incoming messages,
• may be easy since it has stayed green for a long time
• makes more of our code a better example for others to follow

I would like to make progress on this. But no great urgency.

[erights]

If some cases remain problematic, I'd rather just postpone those to a later PR and make progress now on the non-problematic ones. Thanks.

[dckc]

What's needed for me to move this forward?

The emerging norm is to have upgrade tests for any contracts deployed in production; in particular, committee.js.

Pegasus is not (yet) in production, so landing that seems un-problematic. I think auction.js likewise.

For the helper functions, I'd like to see them traced back to any production bundles that they might appear in.

[dckc]

I'm not sure about landing changes to committee.js without at least a scheduled issue for upgrade testing. @turadg ?

[turadg]

I'm not sure about landing changes to committee.js without at least a scheduled issue for upgrade testing. @turadg ?

Given the low urgency of landing this and that we have upgrade-12 scheduled, I'd request such a test be included in this PR before considering landing it.

We definitely need to think hard about whether this PR introduces any representation changes that create an upgrade issue.

Please include this in an "Upgrade considerations" section in the main PR description.

[erights]

Please include this in an "Upgrade considerations" section in the main PR description.

Done

[erights]

I'm not sure about landing changes to committee.js without at least a scheduled issue for upgrade testing. @turadg ?

Given the low urgency of landing this and that we have upgrade-12 scheduled, I'd request such a test be included in this PR before considering landing it.

What if I postponed the committee.js changes to a later PR? What if I postponed all the packages/governance changes to a later PR?

[dckc]

Separating governance might do it. Would have to check whether the zoe changes affect any production bundles too.

[erights]

Zoe and Pegasus cases extracted to #8268 , leaving only the governance cases here.

[Chris-Hibbert]

Looks good.