Refactor/seed protection

[Empowerful]

Introduction

This PR is both a proof of concept and first step toward protecting the backup phrase. It is presented here for review but is not intended to be merged (see below for why).

To protect the backup phrase I divided the Web Wallet into two separate applications: one trusted more (the "Root Document") and the other trusted less (the "Main Process"). The Main Process is an <iframe> within the Root Document that takes up the whole viewport and is served locally via port 8082. The two applications communicate with each other via postMessage.

To save development time I created each application from a complete copy of the current Web Wallet and then made modifications to them. The two applications are mostly the same but over time will become more differentiated as I remove code that's no longer relevant to each application.

Notes

• In the code you'll see the applications sometimes referred to as "realms". A realm is a JavaScript environment with a distinct namespace.
• The main-process directory is not within packages because Yarn doesn't support nested workspaces.
• My new inter-realm communication library is in its own subdirectory (web-microkernel) because it will be moved into its own repository in the future.

Use

Install new dependencies:

$ yarn

Start the Main Process on port 8082:

$ cp config/env/* main-process/config/env
$ cd main-process
$ yarn
$ yarn start:staging

Once the Main Process has started, open a second terminal in the top level of the repository and start the Root Document application on port 8080:

$ yarn start:staging

Questions and feedback are highly encouraged.

[Empowerful]

@tony-blockchain asked to see some examples of the inter-realm encoding.

Here's the handshake of the two realms exchanging their exports with each other:

[
  "object",
  [
    ["axios", ["function", { "key": "1sz07pq", "length": 1 }]],
    ["dispatch", ["function", { "key": "y3qkt9", "length": 1 }]]
  ]
]

["object", [["dispatch", ["function", { "key": "1tzy5g1", "length": 1 }]]]]

Notice the keys are randomly generated so that a compromised realm couldn't guess the keys in the other.

Here's an example of a function call. This is calling the Redux dispatch function in the other realm to forward the AUTHENTICATE action:

[
  "functionApply",
  {
    "args": ["array", [["object", [["type", ["string", "AUTHENTICATE"]]]]]],
    "functionKey": "oqxn13",
    "returnValueKey": "rszz94"
  }
]

Here's the result of the function application being returned:

["functionReturn", { "returnValueKey": "rszz94", "value": ["number", 0] }]