Declaring Required Capabilities
Most contract deployments don't need everything in BootstrapPowers
. Verifying by inspection that they don't use any more than they need is notoriously difficult. So proposals come with a BootstrapManifestPermit
to declare an upper limit on the capabilities they access. For a property access powers.P
, if the permit has { P: true }
, then the access succeeds. In fact, any truthy value will do. And recursively, a property access powers.P.Q.R
succeeds if the permit has { P: { Q: { R: true } } }
.
The permit for startSellConcertTicketsContract
is:
/** @type { import("@agoric/vats/src/core/lib-boot").BootstrapManifestPermit } */
export const permit = harden({
consume: {
agoricNames: true,
brandAuxPublisher: true,
startUpgradable: true, // to start contract and save adminFacet
zoe: true, // to get contract terms, including issuer/brand
},
installation: {
consume: { [contractName]: true },
produce: { [contractName]: true },
},
instance: { produce: { [contractName]: true } },
issuer: { consume: { IST: true }, produce: { Ticket: true } },
brand: { consume: { IST: true }, produce: { Ticket: true } },
});
export const main = startSellConcertTicketsContract;
Selected BootstrapPowers
In the top level promise space, we have:
agoricNames: read-only access to the agoricNames name service.
agoricNamesAdmin: admin / update access to agoricNames and the name hubs it contains. Warning: this includes access to over-write existing bindings to instances, brands, etc.Warning: this includes the right to over-write existing bindings to instances, brands, etc.
bankManager: to manage reflection of cosmos assets as ERTP assets: to register an issuer to correspond to a denom or to get a bank of purses for any address. Warning: this includes the right to spend assets for any account.
board: the board name service. Note: the board only grows; no mechanism to reclaim storage has been established.
chainStorage: to make storage nodes to write to vstorage. Warning: this includes access to over-write previously allocated storage nodes.
chainTimerService: for getting the current timer and setting timer wake-ups; for example, at the conclusion of a governance vote. See Timer Service API. Note: this includes access to schedule infinitely repeating events.
namesByAddress: for looking up objects published under an address; in particular, a
depositFacet
.namesByAddressAdmin: admin (write) access to namesByAddress. Warning: this includes access to re-direct where payments to an address go.
priceAuthority: access to get price quotes and triggers; see Price Authority Guide.
priceAuthorityAdmin: access to add and replace sources of price quotes using E(priceAuthorityAdmin).registerPriceAuthority()
zoe: the Zoe service