Organization

This epic is the last in a sequence of milestone epics.

Acceptance criteria

• On-chain wallets validated to be working well enough for MN-1 release

Background

Why?

• Avoid users having to manage client state (“I bricked my machine” #2629)
• Making an electron app (cf. exo) is risky
• Asking users to install an electron app is burdensome (though not beyond market norms)
• reduce round-trips (#3802 )

ledger integration

@warner to research JSON blob details etc. what can be signed? Hash? JSON blob?

_Originally posted by @dckc in https://github.com/Agoric/agoric-sdk/issues/2629#issuecomment-948970573_

Design notes

Normalised data model

For a given user-specific wallet, the backend’s data records each have:

• a meta property consisting of { id, createdAt, modifiedAt }, where id is unique for the specific wallet instance, and the *At stamps are fodder for new Date(somethingAt)
• an actions presence that allows the manipulation of that record

Every collection of data records is enumerable and presents a notifier that is updated with the entire collection’s contents as any changes are made.

If there are any wallet entities that don’t conform to this data model (i.e. currently petnames and dapps), they should be updated to conform.

Private data

User annotations on data (e.g. the assigned petnames, and any comment fields) should be private, that is they should be encrypted in such a way that the user’s HD signer or recovery phrase can decrypt them.

It may be advantageous to represent this encrypted data as a single normalised record mapping from id to associated data so that it can be decrypted and re-encrypted in bulk. Because it contains timestamps in its "meta" property, we will know when it applies (as suggested by @JimLarson).

Cosmos chain integration

Pluggable storage of normalised records is an important feature of the wallet. For a strawman implementation, the storage system would use the IAVL tree, to be able to expose them via Cosmos-idiomatic queries, events, and transactions.

The wallet backend and wallet frontend need an agreed-upon wallet middleware to encode and decode messages to and from the chain, without affecting the ocap programming model of either the frontend or backend.

Pervasive sturdyrefs

If the normalised data model is adopted throughout the user’s wallet, the user’s wallet admin facet can provide a way to look up a given data record (including its actions presence) via its id. This corresponds to a sturdyref whose contents can only be mutated by signed transactions to the appropriate wallet service.

Queries

The @agoric/marshal-serialised wallet records should be queriable from RPC nodes without causing a transaction or any SwingSet mutation. Ideally, the storage system would be able to provide proofs for the query results as well.

Events

Every wallet backend data record update will result in a Cosmos “event” such as:

wallet.owner=agoric1...
wallet.id=NNN
wallet.update={"meta":{"id":NNN,"createdAt"...},"foobar":"baz"...}

where the wallet.update value is the @agoric/marshal serialised record (mapping known presences to ids). The wallet frontend-middleware can subscribe to the wallet.owner=agoric1... corresponding to their owner and receive updates over a WebSocket without needing to poll. Such update events would be converted into the usual notifiers for the wallet frontend.

agoric.wallet.MsgPerformAction

To preserve ocap integrity, the generic data records would only be updateable by sending a message to its action presence. On the wallet frontend, normal E calls would translate into a chain transaction message containing (@agoric/marshal-serialised):

• the id to look up as the target,
• the method to call on its action presence
• any arguments to that method (which may also consist of id lookups).

This message would be @agoric/marshal-serialised by the frontend-middleware and deserialised into an actual method call by the backend-middleware. That way, we avoid the potential incompatibilities with other data formats such as pure JSON.