feat(vats): implement "big hammer" governance

[michaelfig]

closes: #4352

Description

Implement 'core' bridge handler to enable governance to evaluate core boot code. Update solo to allow new home objects to be pushed.

Remove "leftover actions" assertion, since it is fragile in the face of governance and has thus outlived its usefulness (all actions that make it through the actionQueue are precious, not just heuristically-determined ones).

Drive-by update faucet-helper.sh not to give away so many assets.

Demo

This is a demo of the end-to-end: passing a governance action to add something to every ag-solo's home:

cd packages/cosmic-swingset
make scenario2-setup scenario2-run-chain # in one console
make scenario2-run-client # in another console
# Wait for chain and client to boot, then type at the REPL: `agoric`
# propose and vote on gov-permit.json and gov-code.js:
make scenario2-core-eval scenario2-vote
agd query gov proposals
# Wait for the voting_end_time to happen, then voila, typing `agoric` at REPL results in `youAreGoverned`:

Security Considerations

No new security dependencies beyond what 2/3 validators could do anyway.

Documentation Considerations

Testing Considerations

Will be tested in earnest on the next Devnet.

[dckc]

Looks great!

where is the .proto thingy?

I should probably test this a bit.

[dckc]

Suggested change

	* This is the code triggered by `agd tx gov submit-proposal swingset-core-eval
	* This registers the code triggered by `agd tx gov submit-proposal swingset-core-eval

[dckc]

I can haz static type plz?

Or a comment cross-referencing a .proto file?

[michaelfig]

Ah, that helped me catch a bug. The json_permits needed parsing.

[dckc]

console... hm... I guess that's reasonable.

How about assert while we're at it?

[michaelfig]

How about assert while we're at it?

Added here and in repl.js for the pleasure of the ag-solo REPL.

[dckc]

I feel even more strongly about magic strings than I did before getting into this bootstrap stuff.

Suggested change

	await E(bridgeManager).register('core', handler);
	const CORE_BRIDGE_ID = 'core';
	await E(bridgeManager).register(CORE_BRIDGE_ID, handler);

with the definition at the top. and exported.

Well... I dunno... Maybe I can stand to leave it alone until we have another piece of code that has to use the same string.

[michaelfig]

Well... I dunno... Maybe I can stand to leave it alone until we have another piece of code that has to use the same string.

That day is today. I've created packages/vats/src/bridge-ids.js.

[dckc]

is makeCoreEval useful on the sim-chain?

[michaelfig]

I've renamed it to bridgeCoreEval and moved it to just the chain manifest.

[dckc]

I verified that this works as advertised:

command[4] agoric.youAreGoverned
history[4] "agoric15ccjs5hmhrnsszd55npfr22gkfjeu4les90l4a"

I see the .proto was introduced in #4625 .

There I find discussion of documentation burden:

There will certainly be documentation, but this help string is not the place for it.
-- #4625 (comment)

I prefer that any such statements about the future come with references to issues by number, but I don't suppose that's critical to landing this PR.

I'm also a little hesitant that the bulk of the testing here is manual integration testing, but again, test-boot.js does seem to cover it at least a little.

just realized: I should test starting the RUN protocol.

[dckc]

Let's have the evaluated code return a function and pass the powers to that function, so that the evaluated code can be organized according to POLA rather than having powerful globals available ambiently.

[dckc]

I was able to start the RUN protocol, though it's a little twisty. I'll be thinking about ways to straighten it out.

[dckc]

feel free to add powerless stuff such as utils, bootBehaviors, ... to the globals.