6701 EC addOracles to a governed fluxAggregator

[turadg]

part of: #6701
split from #6963 and cleaned up for easier review
Next will be removeOracles which requires the caretaker pattern

Description

Grants EC the power to addOracles to a price feed.

• feat(price): addOracles by EC

Do that required giving the EC the ability to VoteOnApiCall:

• feat(ec-charter): VoteOnApiCall

Supporting changes:

• refactor(fluxAggregator): split singleton / contract
• feat: puppetGovernance setup tools
• fix(governApi): harden returns
• test(smartWallet): extract helpers from psm integration

PR also includes some incidental cleanup:

• BREAKING CHANGE: remove 'aggregators' from space (I don't think it worked anymore. cc @michaelfig )
• refactor: DRY WalletName.depositFacet
• test(price): rename test-fluxAggregator
• test(price): simplify fluxAggregator test

Security Considerations

Makes the fluxAggregator subject to changes by governance. This is granted only to the EC.

Scaling Considerations

--

Documentation Considerations

removing aggregators from the space might impact REPL usage. Users are better off doing a lookup imo.

Testing Considerations

New integration test of FA governance with wallet.

[michaelfig]

BREAKING CHANGE: remove 'aggregators' from space (I don't think it worked anymore. cc @michaelfig )

I'm okay with this. Its intention was to provide control over the oracles to the BLDer DAO. I presume there's enough machinery added to the bootstrap promise spaces so that BLDer DAO proposals can do the same sorts of things that the EC can do?

[Chris-Hibbert]

If the fluxAggregator has a quoteMint, it seems like that should be publicly visible. I see that it eventually makes it way to the priceAuthorities, which presumably share it, but shouldn't it be available from the fluxAggregator as well?

[turadg]

If the fluxAggregator has a quoteMint, it seems like that should be publicly visible.

Why?

I see that it eventually makes it way to the priceAuthorities, which presumably share it

Not sure where you're seeing that. Here the PA gets just quoteKit.issuer,

  const { priceAuthority } = makeOnewayPriceAuthorityKit({
    createQuote: roundsManagerKit.contract.makeCreateQuote(),
    notifier: makeNotifierFromSubscriber(answerSubscriber),
    quoteIssuer: quoteKit.issuer,
    timer: timerPresence,
    actualBrandIn: brandIn,
    actualBrandOut: brandOut,
  });

The other read of quoteKit in this module is to pass it to makeRoundsManagerKit, which uses it only for,

        const quoteAmount = AmountMath.make(quoteKit.brand, harden(quote));
        const quotePayment = await E(quoteKit.mint).mintPayment(quoteAmount);

[Chris-Hibbert]

Sorry, I meant that the issuer should be public. The priceAuthorities provide access to their quoteIssuer (I think). Shouldn't the aggregator do the same? Are there parties to the conversation that know the aggregator and don't talk to individual PAs? If not, then I guess it's not necessary, but it feels like the Aggregator should be the main authority on the Issuer if it's the one that makes it.

[turadg]

Are there parties to the conversation that know the aggregator and don't talk to individual PAs?

Not on the consumption side, TMK.

[Chris-Hibbert]

Do we want this to be durable/recoverable, even if it didn't come from privateArgs?

[turadg]

Out of scope. Those are concerns for #6853

[Chris-Hibbert]

Maybe displayName? debugName seems pejorative.

[turadg]

these are just jsdocs for params that were already there. The type annotation serves this PR. Changing the param name doesn't. It doesn't seem worth a drive-by either. Since you said "maybe" I take it that's not an approval requirement.

[Chris-Hibbert]

There's no test for the charter? Hmm. Seems like an oversight.

[turadg]

I'm okay with it since we need to test uses of the charter to govern and we do in the smartWallet integration tests.

[Chris-Hibbert]

passing state to a helper seems like an anti-pattern, since state is mutable. Can this be done by passing state.balances since the operation is supposed to be read-only?

[turadg]

it could be but since this is a test I've opted for ease of writing and reading.

Is this a blocking request?

[Chris-Hibbert]

Not if it's a lot of work. How much work does it save?

[turadg]

My objection wasn't on amount of work to make the change. It was that it made calling require more typing.

In this case the function was no longer used so I've removed it.

[Chris-Hibbert]

Suggested change

	const trace = makeTracer('FluxAgg');
	const trace = makeTracer('FluxAgg, false');

[Chris-Hibbert]

You can pick and choose if it shouldn't all be there.

[turadg]

Oh good. I think this came when I ran into some type problems in #6963 . Removed now.

[Chris-Hibbert]

tickN(6) would be better and is supposed to do the same thing. I recently noticed that it doesn't seem to be equivalent. Can you see why it makes a difference?

[turadg]

This file was redundant with test-fluxAggregator and I removed it in a subsequent PR. I've rebased to remove it here.

[Chris-Hibbert]

I don't have a strong objection to .contract.js, but it's a change/addition to our naming scheme. I'd prefer to stick to our existing pattern until we have a decision to switch.

[Chris-Hibbert]

s/fluxAggregator.contract.js/fluxAggregatorContract.js

[turadg]

Good eyes. it’s passing CI because it’s wrapping type is not resolved and thus any. (Unfortunately JSDoc TS doesn't complain about that.) I'll get to fixing this in #6987