feat: introduce shared procedure policies for multisig auth

[onurinanc]

Related Issue: #2669

[PhilippGackstatter]

Looks good! I think the overall logic makes sense.

I left a few comments about structure, validation and readability. Overall:

• There is a lot of terminology that would be good to explain in a bit more detail (I think ProcedurePolicy type would be a good place):
  • immediate_threshold
  • delay_threshold
  • lane / mode
  • note restrictions
  • multisig runtime (I'd try to avoid this term if possible)
  • transaction-shape constraint / note-shape constraint
• We should ensure we construct only valid instances of types. Applies to AuthMultisigConfig and ProcedurePolicyMode.
• In general, it would be good to avoid making fields in structs public because that makes it harder to evolve these structs without breaking the API.
• Afaict, we use a couple of terms interchangebly and it'd be great to pick one and use it consistently:
  • "lane" and "mode" (I like the term lane in this context)
  • "constraint" and "restriction"
  • "direct execution lane" and "immediate execution"

[PhilippGackstatter]

Nit: This constant should probably go into the constants section above rather than the errors section. Would also be good to add a short doc comment.

[PhilippGackstatter]

If these procedures do not need to be public, I'd keep them private.

[onurinanc]

Agreed to keep pub proc get_current_num_approvers it private but get_procedure_policy will be used by the smart multisig.

[PhilippGackstatter]

Suggested change

	#! Inputs: [proc_root]
	#! Outputs: [immediate_threshold, delayed_threshold, note_restrictions, 0]
	pub proc get_procedure_policy(proc_root: word)
	#! Inputs: [PROC_ROOT]
	#! Outputs: [immediate_threshold, delayed_threshold, note_restrictions, 0]
	pub proc get_procedure_policy(proc_root: word)

Nit: This is a word, right?

Also, the type signature is different from the doc-comment signature.

[PhilippGackstatter]

Do we need to store these in that order or would the reverse also work? If so, I'd change it to use loc_storew_le.

[PhilippGackstatter]

It would be great to introduce local constants for this procedure, so it reads like loc_load.IMMEDIATE_THRESHOLD_LOC.

[PhilippGackstatter]

Is there a reason we couldn't validate this in AuthMultisigConfig already? iiuc, this currently allows constructing an invalid config (e.g. using ProcedurePolicyMode::DelayOnly).

[PhilippGackstatter]

Nit: Could we add some intermediate stack comments here to make this easier to read?

[PhilippGackstatter]

I think we only use 4 locals, but would be good to double-check.

[PhilippGackstatter]

Nit: This procedure has quite a bit of logic in it. It might make sense to call a wrapper like get_immediate_threshold that extracts the immediate threshold internally instead of get_procedure_policy and extracting the threshold here.

[PhilippGackstatter]

Nit/Optional: Another thing that would make this procedure easier to read is add a small u32_max procedure that does the logic internally.

[PhilippGackstatter]

Nit: We don't need a vec, so we could take impl IntoIterator<...> instead.

[PhilippGackstatter]

Based on validate_procedure_policies_auth_multisig, AuthMultisigConfig only supports ProcedurePolicyExecutionMode::ImmediateOnly and ProcedurePolicyNoteRestrictions::None, right?

If so, I would not change this to ProcedurePolicy because this allows representing invalid states in the first place. If we keep it as is, we do not need validate_procedure_policies_auth_multisig at all. We should also remove all constructors that take ProcedurePolicy as input for the same reason - it's an invalid state.

We can still make use of ProcedurePolicy in From<AuthMultisig> for AccountComponent to initialize storage, but it would be an implementation detail rather than a part of the public contract.

[onurinanc]

Thanks for this comment!

• I initially approached this with the idea of having a shared base AuthMultisigConfig for all multisig components, but I now think that this ended up creating a structure and helper procedures that do not add much meaning.
• The other reason of having procedure_policies was to keep a common structure for the MASM templates, because that would allow the items using this config slot in multisig.masm (PROC_THRESHOLD_ROOTS_SLOT) to remain common. If we do not do this, then the common procedures currently implemented for AuthMultisigSmart would most likely need to be reintroduced under similar names, such as for these procedures: assert_proc_thresholds_lte_num_approvers, compute_transaction_threshold, and set_procedure_threshold. I had also made this choice with the next PR (AuthMultisigSmart) in mind, but at this point I agree with you. I think proc_thresholds: Vec<(Word, u32)> should remain as it is.

[PhilippGackstatter]

Suggested change

	pub enum ProcedurePolicyNoteRestrictions {
	pub enum ProcedurePolicyNoteRestriction {

Nit: It's a single restriction (that may encapsulate multiple restrictions) we set and not multiple ones, so I'd still suggest using singular.

[PhilippGackstatter]

I think it would be worth making the last variant more precise because it could be read as "no input and output notes" or "no input or output notes", and I think it's the latter.

[PhilippGackstatter]

If we don't need the proc_threshold, we shouldn't duplicate it a couple of lines above and remove the drop.

[PhilippGackstatter]

Why do we have both of these?

• set_procedure_threshold(proc_threshold, PROC_ROOT)
• set_procedure_policy(immediate_threshold, delayed_threshold, note_restrictions, PROC_ROOT)

We can do everything with set_procedure_policy and we don't need set_procedure_threshold anymore, right?

If we do need the latter, we should rename it to make it clear that it sets an immediate threshold, e.g. set_immediate_procedure_threshold.

[PhilippGackstatter]

This overwrites any previously set delay threshold or note restrictions with 0 - is that intended? Related to a previous comment about whether we even need this procedure anymore.

[PhilippGackstatter]

This is a question to better understand the direction this is going to take, so I can better review the PR.

We plan to eventually have three multisig components, AuthMultisig, AuthMultisigSmart and AuthGuardedMultisig, right? And they all share the same code (crates/miden-standards/asm/standards/auth/multisig.masm)?

If so, would we also pay the execution price for the more advanced multisig features (note restrictions, delayed execution) for the basic AuthMultisig? And if so, it seems it would make sense to just have two components AuthMultisigSmart and AuthGuardedMultisig, since the smart version can just be configured to be like the "basic" one, right?

We could still define struct AuthMultisig(AuthMultisigSmart) (i.e. a simpler wrapper that configures the smart version without advanced features), but at the MASM level we'd only have to think about two versions, which would be helpful in terms of complexity.

[onurinanc]

Thank you for this comment! I think in this PR the path is not much clear, so related to with this comment: #2670 (comment) I've removed the procedure_policies for Multisig and the GuardedMultisig versions, and also for the AuthMultisigConfig.

But, I've kept the procedure_policies in this PR rather than the following MultisigSmart PR. (Or, do you want me to combine this PR with the following one?)

[PhilippGackstatter]

I think this assertion makes sense to have in this procedure, but the validation starting from here (threshold and note restriction validation) seems unnecessary because we assert the same things in set_procedure_policy already, right?

If we do somehow need it, it'd be awesome if we could deduplicate the validation code into a helper procedure, because we can maintain it in one place.