api: Protobuf API Draft #1

[jbowen93]

This discussion proposes an initial rough draft of a Protobuf API for the Celestia Node.

This API should be seen as an addition to the existing JSON RPC API, comments on the potential implications of this API replacing the existing API are premature.

This API doesn't provide an equivalent of the existing State API, for discussion of how the Node API should or shouldn't interact with the broader Celestia state machine see this post.

This API doesn't provide provide an equivalent of the existing Node or P2P APIs. These APIs should only be used by a node's admin and thus are out of scope.

This API is agnostic to any specific programming language's semantics.

This API attempts to follow a Resource-oriented design.

This API attempts to follow Protocol Buffers API Best Practices

Blobs

The blob type is defined in the celestia-node codebase here:

type Blob struct {
	types.Blob `json:"blob"`

	Commitment Commitment `json:"commitment"`

	// the celestia-node's namespace type
	// this is to avoid converting to and from app's type
	namespace share.Namespace

	// index represents the index of the blob's first share in the EDS.
	// Only retrieved, on-chain blobs will have the index set. Default is -1.
	index int
}

types.Blob is a reference to "github.com/celestiaorg/celestia-app/x/blob/types" which defines its own blob proto here and references the go-square proto here.

The only difference between these protos is that the latter adds a bytes signer = 5; field, for simplicity we ignore that field.

message Blob {
    bytes namespace_id = 1;
    bytes data = 2;
    uint32 share_version = 3;
    uint32 namespace_version = 4;
    bytes commitment = 5;
    uint32 index = 6;
}

message BlobRequest {
    uint64 height = 1;
    bytes namespace_id = 2;
    bytes commitment = 3;
}

message BlobResponse {
    Blob blob = 1;
}

message BlobList {
    repeated Blob blobs = 1;
}

message BlobListRequest {
    uint64 height = 1;
    bytes namespace_id = 2;
}

message BlobListResponse {
    BlobList blob_list = 1;
}

message SubmitBlobRequest {
    Blob blob = 1;
}

message SubmitBlobResponse {
    bytes commitment = 1;
}

service BlobService {
    rpc GetBlobByCommitment (BlobRequest) returns (BlobResponse) {}
    rpc GetBlobs (BlobListRequest) returns (BlobListResponse) {}
    rpc SubmitBlob (SubmitBlobRequest) returns (SubmitBlobResponse) {}
}

Data Availability Proofs

The proof type is defined in the celestia-node codebase here:

type Proof []*nmt.Proof

nmt.Proof is a reference "github.com/celestiaorg/nmt" which defines a Proof here.

A comment in the celestia-node codebase states

// The Proof is a set of nmt proofs that can be verified only through
// the included method (due to limitation of the nmt https://github.com/celestiaorg/nmt/issues/218).
// Proof proves the WHOLE namespaced data to the row roots.
// TODO (@vgonkivs): rework `Proof` in order to prove a particular blob.
// https://github.com/celestiaorg/celestia-node/issues/2303

The referenced issue (#2303) is still open but is beyond the scope of this API.

message NMTProof {
    uint32 start = 1;
    uint32 end = 2;
    ?? nodes = 3;
    bytes leaf_hash = 4;
    bool is_max_namespace_id_ignored = 5;
}

message NMTProofRequest {
    bytes commitment = 1;
}

message NMTProofResponse {
    NMTProof hash = 1;
}

service NMTProofService {
    rpc GetProofByCommitment (NMTProofRequest) returns (NMTProofResponse) {}
}

Fraud Proofs

Fraud Proofs seem to be referenced in the celestia-node code here which references the go-fraud repo which a stub proto here.

There doesn't seem to be a concrete implementation of fraud proofs, so we leave this API as a TODO.

message FraudProof {}

message FraudProofRequest {}

message FraudProofResponse {}

service FraudProofService {
    rpc GetFraudProof (FraudProofRequest) returns (FraudProofResponse) {}
}

Extended Headers

The ExtendedHeader is already defined as a proto here

message ExtendedHeader {
    tendermint.types.Header header = 1;
    tendermint.types.Commit commit = 2;
    tendermint.types.ValidatorSet validator_set = 3;
    celestia.da.DataAvailabilityHeader dah = 4;
}

message ExtendedHeaderList {
    repeated ExtendedHeader extended_headers = 1;
}

message ExtendedHeaderRequest {
    oneof identifier {
      uint32 block_number = 1;
      bytes block_hash = 2;
    }
}

message ExtendedHeaderListRequest {
      uint32 start_block = 1;
      uint32 end_block = 1;
}

message ExtendedHeaderResponse {
    ExtendedHeader extended_header = 1;
}

message ExtendedHeaderListResponse {
    ExtendedHeaderList extended_header_list = 1;
}

service ExtendedHeaderService {
    rpc GetExtendedHeaderByHash (ExtendedHeaderRequest) returns (ExtendedHeaderResponse) {}
    rpc GetExtendedHeaderByHeight (ExtendedHeaderRequest) returns (ExtendedHeaderResponse) {}
    rpc GetExtendedHeaderListByHeights (ExtendedHeaderListRequest) returns (ExtendedHeaderListResponse) {}
}

Shares

The celestia-node codebase defines a NamespacedSharesResponse here which references the share module which defines a Share as []byte.

message Share {
    bytes share = 1;
}

message ShareList {
    repeated Share shares = 1;
}

message ShareRequest {
    ExtendedHeader extended_header = 1;
    uint32 row = 2;
    uint32 column = 3;
}

message ShareResponse {
    Share share = 1;
}

message ShareListRequest {
    ExtendedHeader extended_header = 1;
    bytes namespace_id = 2;
}

message ShareListResponse {
    ShareList share_list = 1;
}

service ShareService {
    rpc GetShareByExtendedHeader (ShareRequest) returns (ShareResponse) {}
    rpc GetShareListByNamespace (ShareListRequest) returns (ShareListResponse) {}
}

Extended Data Square

ExtendedDataSquare is defined in github.com/celestiaorg/rsmt2d here

TODO: Define the correct proto for an ExtendedDataSquare

message ExtendedDataSquare {
    // TODO
}

message ExtendedDataSquareRequest {
    ExtendedHeader extended_header = 1;
}

message ExtendedDataSquareResponse {
    ExtendedDataSquare extended_data_square = 1;
}

service EDSService {
    rpc GetEDSByExtendedHeader (ExtendedDataSquareRequest) returns (ExtendedDataSquareResponse) {}
}

[liamsi]

This is a great start! I'm leaving a few comments per section focusing on the high-level use-cases (and hopefully not bikeshedding on minor details):

Blobs

The service scope makes a lot of sense and I think this generally should be the methods of the blob module/service:

service BlobService {
    rpc GetBlobByCommitment (BlobRequest) returns (BlobResponse) {}
    rpc GetBlobs (BlobListRequest) returns (BlobListResponse) {}
    rpc SubmitBlob (SubmitBlobRequest) returns (SubmitBlobResponse) {}
}

That said, the SubmitBlobRequest misses a bunch of important params:

• users need to be able to define the key they want this signed by (either by local key store alias, or by a celestia address, or both)
• users might want to increase the gas fee they are willing to pay to get the blob included faster
• similar to the above points there might a few more params I am missing (see the Fee struct here)
• If users want to submit several blobs to be included in one block, they can't wait until the first one made it (b/c then they wouldn't be in the same block). Hence, there should be an option that is non-blocking (like broadcastTxAsync in the cosmos-sdk).
• There might be edge cases whereSubmitBlobResponse needs to additionally return a tx hash (needs further investigation though)

Proofs:

• user likely need another API endpoint to get proofs of inclusion for the blob (this needs further discussion/investigation as well); while there is a suggested NMTProofService, I am not sure this covers all use-cases. Also, it might be better to have blob-only related proofs exposed via an endpoint in the blob service directly

Data Availability Proofs

Having a proof API could be a good idea but the see the last point on Proofs above. It could be better to expose the proofs per service instead of a lower-level generalized NMTProofService. Additionally, NMT proofs alone will not be sufficient: in some cases, e.g. smart contracts on ethereum validating inclusion of shares, i.e. blobstream, or a rollupp IBC client, you will need proofs up to the data root. Row roots are merkelized with a simple merkle tree instead of an NMT.

Fraud Proofs

there doesn't seem to be a concrete implementation of fraud proofs, so we leave this API as a TODO.

There is actually a concrete implementation, i.e. for bad encoding fraud proofs. Users will need two endpoints for those:

• watch out for new bad encoding fraud proofs (streaming/subscription)
• request historical fraud proofs

Extended Headers

I think this additionally needs a way to subscribe / listen to a header stream.

Shares

A few comments on the proposed API:

• IMO it should not be necessary to submit the whole extended header in a ShareRequest; the shares should be requestable by height/block hash/ data root or some identifier instead of using whole extended header for that
• The proposed API only returns a singular share, while in reality, users will want to request a range of shares as well (see for instance the blobstream API being worked on here: feat: add support for Blobstream API #3470 )
• similar to the comment around the DA Proofs section above, there should be a ProveShares endpoint in the shares service (again, see the blobstream API)
  • also, it must be possible to request the share(s) with their respective proof in one go
• Similarly, they need a commitment proof for a share commitment, see ProveCommitment in feat: add support for Blobstream API #3470

Other comments

The two methods used by blobstream (but can potentially be useful for other rollups/data attestation bridges) that are not covered by the API nor my comments above, should also be part of the protobuf definition:

• see feat: add support for Blobstream API #3470, specifically GetDataCommitment and GetDataRootInclusionProof:

	// GetDataCommitment collects the data roots over a provided ordered range of blocks,
	// and then creates a new Merkle root of those data roots. The range is end exclusive.
	GetDataCommitment(ctx context.Context, start, end uint64) (*ResultDataCommitment, error)

	// GetDataRootInclusionProof creates an inclusion proof for the data root of block
	// height `height` in the set of blocks defined by `start` and `end`. The range
	// is end exclusive.
	GetDataRootInclusionProof(
		ctx context.Context,
		height int64,
		start, end uint64,
	) (*ResultDataRootInclusionProof, error)

It is also worth discussing if there should be 3 modes for each of the data types that can be requested:

1. data only (no proofs)
2. proofs only (no data)
3. data + proofs

I am not convinced 1. is ever needed tbh but left it here for completeness.

Regarding key management and signing, and if the API should contain all grpc endpoints of the state machine as well, I'm also linking these two discussions as they are related:

• api: What should be surface of celestia-node API in relation to the state machine? #3506
• [Feature Request]: Keys Management #3022 (comment)

Also, orthogonal to the above, there is no notion of error codes/error IDs in the above Response types.

[rach-id]

Agreed concerning the Blobstream related API. We should have the following endpoints (where to put them is still being discussed):

• ProveShares: which proves a set of shares defined by a range up to the data root
• ProveCommitment: which proves that a share commitment was committed to by a data root
• GetDataCommitment: which returns the merkelized root over a set of data root tuples, i.e., <height:data_root>
• GetDataRootInclusionProof: which proves the inclusion of a data root tuple to the data commitment

The last 2 are only blobstream specific. But the first two can also be used in rollups fraud proofs.

[liamsi]

Additional quick notes/questions from the WG call:

• do we need a tx hash / ID returned at all? What is the user-story behind "jumping back to app" and needing the tx hash?

  • only info you don't have when submitting a blob is height it was included
  • needs a unique ID either way

• height only makes sense when having a sync submission API

• what to use in an async context?

• tx hash? some other ID? is some other ID not confusing in a blockchain context (where people assume a tx hash)? Slava suggested sth here: api: Protobuf API Draft #1 #3517 (comment) but tx hash seems still much simpler

• note: if we use tx hash, then the API also needs a way to request a TX by hash, or at least its status by hash or a method GetBlobIDByTxHash (h/t @walldiss)

• for fraud: it is essential that there is a subscribe or stream like service

• "network head" is useful <- the node's current view of the tip of the chain

• do we need "local head"? What are the user stories behind these?

• do we even need the extended data square endpoint?

  • probably not; currently used to request range of shares as the API does not support that
  • We need a method to get shares by range (ranges of rows) instead.

[vgonkivs]

Thanks @jbowen93. The API looks great. I'd like to add a few things to the Blob Module:

1. Since header block is necessary for getting blobs, I'd also include it in SubmitBlobResponse. Also, obtaining the height will not be possible in case of async blob submission, so I'd also add txHash as a part of the response.

message SubmitBlobResponse {
    bytes commitment = 1;
    oneof identifier {
      uint32 block_number = 2;
      bytes tx_hash = 3;
    }
}

2. Add Subscribe method that allows getting blobs from each height by a namespace:

service BlobService {
    rpc GetBlobByCommitment (BlobRequest) returns (BlobResponse) {}
    rpc GetBlobs (BlobListRequest) returns (BlobListResponse) {}
    rpc SubmitBlob (SubmitBlobRequest) returns (SubmitBlobResponse) {}
    rpc Subscribe(SubscribeRequest) returns (stream Blob) {}
}

message SubscribeRequest {
 bytes namespace_id = 1;
}

[vgonkivs]

In the case of sync submission, we can get both of these values. I think it's not necessary to keep both and return only block_number.

do you think we should add tx_hash to that oneof for the case of async submission?

Yes, and we should provide an API that applies a tx_hash and returns the height then.

[vgonkivs]

We can do it internally for GetBlob though:

message BlobRequest {
    bytes commitment = 1;
    bytes namespace = 2;
    oneof identifier {
       uint32 block_number = 3;
       bytes tx_hash = 4;
    }
}

[liamsi]

Can node already request the blob by tx_hash?

[vgonkivs]

No

[vgonkivs]

Yes, and we should provide an API that applies a tx_hash and returns the height then.

One thing that I'm concerned about regarding this endpoint is that the user will not know that the returned height is correct and contains the transaction, until he requests the blob. I'm wondering shouldn't we return a PFB inclusion proof with the height? Or I'm missing something and it's not that critical?

[Wondertan]

Providing a list of things I find essential to be emphasized and some of them might be repeated. There are more little details that I need to look into as it is too early for them. The next step is incorporating all the feedback into the Draft for the next round of reviews.

Avoid any dependence on DataAvailabilityHeader(DAH)

• That's a protocol-specific detail that should be abstracted away (I can elaborate on reasoning if requested)
• The proposal defines a Blob proof as a list of NMT proofs proving to DAH. Instead, we should be proving to a singular `DataRoot, which results in MerkleTree proof over NMTProofs.
  • The future API should incorporate this anyway and potentially get the representation of such proof from Blobstream
• ExtendedDataSquareRequest should use height instead.

Minimize reliance on ExtendedHeader

• ExtendedHeader extends regular Header with Commit, ValSet and DataAvailabilityHeader.
  • With header trimming around the corner, the Commit and ValSet will be removed from it for reasons out of the scope of this discussion(I can elaborate on reasoning if requested)
  • The DataAvailabilityHeader presence in the API has to be minimized and its likely to be removed with with further iterations of trimming
  • We should make the HeaderService return just the celestia-core header.
• All the places where it is used in the request body should be using height instead.
• There are quite a few in the proposal

We don't need a separate DataAvailabilityProofsService

+1 to what @liamsi mentioned. Every single "resource"(referencing the resource-oriented design you've linked) has some proof attached, and accessing proofs should be part of the respective resource API. Therefore, the BlobService proposal needs to have a way to request proof to DataRoot

More ShareService methods

• GetRow(height, index) - ShareListResponse
• GetShareRange(height, startIdx, endIdx) - ShareListResponse
• Besides, and as already mentioned, most of ShareService methods have to provide an option to request data with proofs or just the data or proofs.
  • We should also keep that optionality within the methods. Having all 3 possible options for each data type will bloat the service, while in most cases, the same types are getting returned. This is where the optional field feature of protobufs will be fruitful.
• Worth noting again the necessity of proofs to be up to DataRoot rather than DAH

Merge ShareService and ExtendedDataSquareService

I understand the goal of separating EDS methods out of share to follow resource-oriented design; however, coupling those doesn't violate that. The square is just a list of shares, and the whole purpose of the ShareService is to provide the ability to access the share data structure/resource, and the square is a subset of that.

FraudService

The methods should work with fraud types. At this point, there is only one—BEFP. With the current trajectory towards ZKing everything, it's not clear if there will be more.

Subscriptions

Most of the services we define should have subscriptions in place for the respective resources. There are a lot of opportunities for the event-driven model for users building on us.

[liamsi]

Besides, and as already mentioned, most of ShareService methods have to provide an option to request data with proofs or just the data or proofs.

• We should also keep that optionality within the methods. Having all 3 possible options for each data type will bloat the service, while in most cases, the same types are getting returned. This is where the optional field future of protobufs will be fruitful.

Note that in proto3 all fields are "optional" by default. If we don't want to introduce one method for each mode, then I would suggest introducing an enum. Something along these lines:

enum RetrievalMode {
    PROOFS_AND_DATA = 0; // default
    DATA_ONLY = 1;
    PROOFS_ONLY = 2;
}

// example usage in blob request message:
message BlobRequest {
    uint64 height = 1;
    bytes namespace_id = 2;
    bytes commitment = 3;
    RetrievalMode mode = 4;
}

I would not be opposed to adding a separate method for each mode instead though.

[Wondertan]

Note that I meant "feature" instead of "future", corrected the OP.

[liamsi]

Tx / blob submission options

I would also suggest to add the following type below (maybe name it differently?).

This will allow to set all necessary params for blob (or any tx) submission.

Question is if we need both signer_address and key_name. Both types are strings and arguably you only need one "signer-ID" instead which can be a key name or a wallet address. It is left open how to identify these in the implementation and recommend to support either by address or by key-name:

// TxConfig specifies additional options that will be applied to the Tx.
message TxConfig {
    string signer_address = 1; // Specifies the address from the keystore that will sign transactions.
    string key_name = 2; // Specifies the key from the keystore associated with an account that will be used to sign transactions.
    float  gas_price = 3; // Represents the amount to be paid per gas unit.
    // bool   is_gas_price_set = 4; // Indicates if the gas price has been explicitly set by the user.
    uint64 gas = 5; // Specifies the gas amount.
    string fee_granter_address = 6; // Specifies the account that will pay for the transaction.
}

The blob service then would look sth like that:

message SubmitBlobRequest {
    Blob blob = 1;
    TxConfig tx_config = 2; 
}

ref: #3349

Note that all fields in proto3 are optional by default but we could also more explicitly tag them with the optional tag.

[liamsi]

@vgonkivs or @celestiaorg/celestia-node what was the rationale for is_gas_price_set? Is that because otherwise one can't differentiate between 0 and it not being set?

[vgonkivs]

Correct. Since the default gas price is -1, we need to understand - was 0 set explicitly by user or it wasn't set at all.

[liamsi]

in v2 there will be a min-fee though: https://github.com/celestiaorg/celestia-app/blob/1bd0f133222f60c0f89779db1374c23a36eea213/x/minfee/README.md

A gas_price of zero would not be allowed anyways 🤔 The default will be 0.000001 utia

[vgonkivs]

Then, we can remove this field after v2 is merged 😊

[liamsi]

I think we can then simplify this here to:

// TxConfig specifies additional options that will be applied to the Tx.
message TxConfig {
    // Specifies the address or key id from the keystore that will sign transactions.
    string signer = 1; 
    // Represents the amount to be paid per gas unit.
    float  gas_price = 2; 
    // Specifies the gas limit.
    uint64 gas = 3; 
    // Specifies the fee granter account that will pay for the transaction.
    string fee_granter_address = 4; 
}

The spec can then mention that signer usually is an address but that implementations can also use other string identifiers.

[liamsi]

Error codes

Regarding error handling, I would suggest a similar approach as @walldiss suggested here: #3529 (comment)

Particularly, as we might want to expose this API via json over http.

Suggested proto messsages:

enum ErrorCode {
  UNKNOWN_ERROR = 0; // TODO better start at a much higher error code range
  INVALID_REQUEST = 1;
  INVALID_PARAMS = 3;
  INTERNAL_ERROR = 4;
  // TODO Add more specific error codes here. 
  // related issues:
  // https://github.com/celestiaorg/celestia-node/issues/3335#issuecomment-2079748320
  // https://github.com/rollkit/go-da/issues/65
}

message RpcError {
  ErrorCode code = 1;
  string message = 2;
}

Response messages should be changed to (for example):

message BlobResponse {
    oneof response {
        Blob blob = 1;
        RpcError error = 2;
    }
}

[liamsi]

Question: Should some errors be per service instead of in a central error package?

[liamsi]

Fraud Service

The current fraud API is very go-idiomatic: it returns a channel but what is even worse, the user is completely left in the dark what type the returned Proof actually is:

I would instead suggest the following (concrete) API and rename to befp for the module / service name:

message BEFPRequest {
  uint64 from_height = 1;
}

message BEFPsSubscribeRequest {}

message BadEncodingFraudProof {
  // TODO add concrete fields here
}

service BadEncodingFraudProofService {
  rpc GetAll(BEFPRequest) returns (BadEncodingFraudProof) {}
  rpc SubscribeBEFPs(BEFPsSubscribeRequest) returns (stream BadEncodingFraudProof) {}
}

cc @Wondertan @vgonkivs

[vgonkivs]

During the implementation we were assuming that there will be more than 1 concrete type of the Proof. Re validity proofs, I'm pretty sure, we can adjust code of the go-fraud(rename to go-proof) to handle both types of proofs if it's needed.

[liamsi]

Re validity proofs, I'm pretty sure, we can adjust code of the go-fraud(rename to go-proof) to handle both types of proofs if it's needed.

That is neat but that is even more different than a general/abstract "fraud" service. Once we cross that bridge and either ...

• have multiple types of fraud proofs
• have multiple types of validity proofs

... and these would share the property that they should be semantically treated the same (e.g. all validity proofs would come through via a single "subscribe" method) then this would make sense. At this time, it simply does not make sense unless I am missing sth.

Note that I am not arguing against abstracting this in the implementation/in go-fraud/go-proof (which also seems premature but OK) but rather for the developer facing API.

[liamsi]

Or let me ask differently, how would you today describe to a Rust dev how to handle fraud proofs? Currently, one has to dig through multiple indirections of interfaces/repositories and try to match that with what the spec says about befps. I think having a concrete befp type returned that resembles what is in a spec can help to save a bunch of time how to handle that vs digging through node and go-fraud.

[Wondertan]

I agree that a concrete BEFP type should be described in proto so that X lang devs don't have to look through our code. Keeping this general interface is not a big deal as proto has oneofkey. The service stays similarly general yet specifies what concrete types might be returned. I do agree tho with the point of not generalization not being necessary, as the future is bright(zk). And to abstract go-fraud to go-proof, we would need to know if validity proofs are attached to header or detached and delayed

[Wondertan]

we would need to know if validity proofs are attached to header or detached and delayed

Because if they are attached, we don't need any generalization and can piggyback off the header, and if delayed, the p2p networking for proofs becomes necessary.