-
Notifications
You must be signed in to change notification settings - Fork 212
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(zoe): Make zcf singleton durable (#9531)
Staged on #9533 refs: #9281 ## Description The `zcf` object will effectively need to be passed through `orchestrate` as an endowment. Because zcf is not durable, or even an exo, we were originally planning to do it with a mechanism involving a standing durable object, and then wrap and unwrap it on either side of the membrane. But if `zcf` were durable, we wouldn't need all this complexity. It turns out, if this PR is correct, that making `zcf` durable is trivial. ### Security Considerations Making `zcf` into a durable exo also involves giving it an interface guard. The interface guard in the first commit of this PR makes a needed exception for `makeInvitation` and `setTestJig` because both of them accept non-passable parameters. The `defaultGuards: 'passable'` option means that all other methods default to a guard that merely enforces that all arguments and return results are passable. This does make `zcf` somewhat more defensive, but not much. Given this starting point, we can grow that `ZcfI` interface guard to do more explicit input validation of the other methods, which will help security, and make us less vulnerable to insufficient input validation in the zcf methods themselves. As we move more of the input validation to the method guards, we should be able to remove ad hoc input validation code in the method which has become redundant. Replacement of ad hoc input validation with declarative guard-based input validation should help security. I don't yet know whether I'll grow the `ZcfI` interface guard to have these explicit method guards in further commits to this PR or in later PR. ### Scaling Considerations The extra guard checks are potentially an issue, but we won't know until we profile. ### Documentation Considerations none ### Testing Considerations I need to understand `setTestJig` better. ### Upgrade Considerations Making `zcf` durable means that it has a durable identity that survives upgrade. As a durable exo singleton, it is stateless, meaning that it gets back all the state it needs during `prepareExo` as state that its methods capture (close over) rather than as exo instance state. This reflects naturally the initial intuition that the `zcf` endowment, being stateless, could just be represented to `asyncFlow` as a singleton standin, re-endowed during the prepare phase.
- Loading branch information
Showing
6 changed files
with
34 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
import { M } from '@endo/patterns'; | ||
import { AmountKeywordRecordShape, IssuerRecordShape } from '../typeGuards.js'; | ||
|
||
export const ZcfSeatShape = M.remotable('zcfSeat'); | ||
|
||
export const ZcfMintI = M.interface('ZcfMint', { | ||
getIssuerRecord: M.call().returns(IssuerRecordShape), | ||
mintGains: M.call(AmountKeywordRecordShape) | ||
.optional(ZcfSeatShape) | ||
.returns(ZcfSeatShape), | ||
burnLosses: M.call(AmountKeywordRecordShape, ZcfSeatShape).returns(), | ||
}); | ||
|
||
export const ZcfI = M.interface( | ||
'ZCF', | ||
{ | ||
makeInvitation: M.call(M.raw(), M.string()) | ||
.optional(M.record(), M.pattern()) | ||
.returns(M.promise()), | ||
setTestJig: M.call().optional(M.raw()).returns(), | ||
}, | ||
{ | ||
defaultGuards: 'passable', | ||
}, | ||
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters