An architecture for programmable storage markets

[anorth]

July 2022: This proposal has been re-written to take implementation of #313 (with this implementation sketch) as a pre-requisite. This simplifies the remaining changes a good deal. Modelling data cap as a fungible token, with market actors acting as delegates, also removed the need to change off-chain deal negotiation protocol 🎉 . Some of the discussion below thus talk about a more complex change than is now proposed.

Abstract

This proposal is a refactoring of the APIs and interactions between the storage miner actor, built-in storage market actor, and Filecoin Plus verified registry actor to provide a platform for alternative storage markets, incentive schemes, and other sector-content-related applications to be built on the FVM.

The thrust of the architecture is a decoupling and separation of concerns between the three actors. Notable points include:

• Both clients and miner actors can interact with the verified registry directly to allocate and claim data cap allowances. Market actors are not necessarily involved, but can act as a delegates (this property comes from Decoupling FIL+ term from storage marketplaces (FIP-0045) #313).
• The built-in market actor is no longer used to calculate the sector data commitment, quality-adjusted power, or other consensus inputs. The miner actor takes all trusted computations.
• Storage provider operators specify deal metadata at proof-of-replication instead of fetching it from the market actor during sector pre-commit. The miner actor forwards it to the market. Deal metadata is really just piece metadata, which could be for a market or any other application.
• The market actor is informed of piece commitments into sectors, but has no power to deny them. Other actors could similarly be informed of changes to sector content.

This proposal requires FIP-0034 simplifying pre-commit deposit as pre-requisite.

This proposal is complemented by miner←→market registrations: if/when we support updatable sector content we would need such a notification mechanism.

Motivation

High level motivation for why to provide a platform for alternative storage markets and other content-related contracts is given in #241.

We need to change the storage market contract architecture because the current structure does not provide the information and hooks that would be needed by new applications to implement storage-deal-like functionality. It privileges the built-in market actor as the one which the storage miner actor consults. In order to enable the development of useful storage-related applications and features, we need to break the tight coupling between these built-in actors, expose composable on-chain primitives, and make the capabilities of the built-in market actor available to user-programmable contracts.

Goals of this architecture proposal include:

• Remove any trust in market actors (including the built-in one) for network-critical things like storage power. Markets are responsible only for maintaining their own internal state and application policies.
• Prepare a path to the implementation of features like deal renewal/extension and transfer without significant changes to built-in actors’ APIs.
• Support development of alternative markets, including ability to broker deals for verified data.
• Retain the current economic structures, incentive, pledge requirements etc.

It will be more-or-less impossible to remove or change any exposed API after the first user-programmed contracts are deployed to the Filecoin mainnet, without breaking them. Thus, built-in actors should be quite conservative in what they export, as they will be bound to support it for a long time (see #401).

Specification

The following new APIs only include the methods related to storage onboarding and deals. Assume the remainder of these actors’ APIs remain as-is.

This proposal is written assuming that the changes described in FIP-0034 are already in place.

Verified registry actor

See implementation notes in https://www.notion.so/FIL-indefinite-term-limits-08079d7ec25c4cae839a3bf95a82df26

Storage miner actor

State

The miner actor no longer persists deal IDs in state at all.

type SectorPreCommitOnChainInfo struct {
	Info {
	  SealProof       abi.RegisteredSealProof
	  SectorNumber    abi.SectorNumber
	  SealedCID       cid.Cid // CommR
	  SealRandEpoch   abi.ChainEpoch
    // Sector pre-commit no longer references deals.
		~~DealIDs         []abi.DealID~~
	  Expiration      abi.ChainEpoch	
	  UnsealedCID     cid.Cid // CommD
  }
	PreCommitDeposit  abi.TokenAmount
	PreCommitEpoch    abi.ChainEpoch
}

type SectorOnChainInfo struct  {
	SectorNumber          abi.SectorNumber
	SealProof             abi.RegisteredSealProof
	SealedCID             cid.Cid // CommR
  // Sector info no longer references deals either.
	~~DealIDs               []abi.DealID~~

	Activation            abi.ChainEpoch  
	Expiration            abi.ChainEpoch  
	DealWeight            abi.DealWeight
	VerifiedDealWeight    abi.DealWeight
	InitialPledge         abi.TokenAmount 
	ExpectedDayReward     abi.TokenAmount 
	ExpectedStoragePledge abi.TokenAmount 
	~~ReplacedSectorAge     abi.ChainEpoch~~  // Can deprecate 140 days after nv15
	~~ReplacedDayReward     abi.TokenAmount~~ // Can deprecate 140 days after nv15
	SectorKeyCID          *cid.Cid
}

Methods

Deal IDs are no longer specified at sector pre-commitment. Instead, the pieces of data that comprise a sector’s data are declared as a “manifest” when the replica or update is proven.

The provider must commit to the both the sealed and unsealed CIDs at pre-commit. At PoRep the miner actor then checks that the unsealed CID matches that computed from the piece CIDs (and an optional implicit zero piece for padding), and the PoRep proof verifies it corresponds to the sealed CID also committed earlier. The ReplicaUpdate flow commits and proves at the same time.

Each piece may specify a market contract address and market-specific identifier which it satisfies. The miner will synchronously notify that market address that the piece has been committed. The miner will pay no attention to the success or otherwise of that notification to the market: the sector will be committed regardless. Note that there is no requirement for the actor that is notified to be some kind of marketplace: it is just a contract that is notified when the piece is committed.

Each piece may also declare a FIL+ verified data cap allocation ID that it satisfies. The miner actor will claim that allocation directly from the verified registry actor and, if successful, calculate quality-adjusted power according to the piece’s size.

type SectorPreCommitInfo struct {
	SealProof       abi.RegisteredSealProof
	SectorNumber    abi.SectorNumber
	UnsealedCID	cid.Cid // CommD
	SealedCID       cid.Cid // CommR
	SealRandEpoch   abi.ChainEpoch
  // No deals specified during pre-commit.
	~~DealIDs         []abi.DealID~~
	Expiration      abi.ChainEpoch
}
type PreCommitSectorBatchParams struct {
	Sectors []SectorPreCommitInfo
}
func (Actor) PreCommitSectorBatch(params *PreCommitSectorBatchParams)

// Sector content is declared at PoRep
// (previously, this data was fetched from the built-in market actor).
type SectorManifest struct {
	SectorNumber uint64
	// Declaration of pieces that make up the sector data.
	// Implicit "zero" piece to fill remaining capacity need not be specified.
	Pieces       []PieceManifest
}
type PieceManifest struct {
	PieceCID                 cid.CID // CommP
	Size                     PaddedPieceSize
	// Each piece may specify a FIL+ verified data cap allocation ID.
  // If the piece is a sub-piece of a larger allocation, also specifies
  // the range covered and an inclusion proof in the allocation.
	VerifiedDataAllocationID uint64 // Optional
	VerifiedDataRangeStart   uint64
  VerifiedDataRangeEnd     uint64
	VerifiedDataInclusionProof []byte // ???
	// Each piece may specify an actor and piece ID to notify on commitment.
  // TODO: an array of these tuples for multiple downstream actors?
	NotifyAddress            address.Address // Optional
	NotifyPieceID            uint64 // E.g. deal ID, optional
}

type ProveCommitAggregateParams struct {
	SectorNumbers  bitfield.BitField
	AggregateProof []byte
	// Declaration of data for each non-empty sector.
	Manifests      []SectorManifest
	
}
func (Actor) ProveCommitSectorAggregate(params *ProveCommitAggregateParams)

type ReplicaUpdate struct {
	SectorID             abi.SectorNumber
	Deadline             uint64
	Partition            uint64
	NewSealedSectorCID   cid.Cid // CommR
  // Deals are replaced by sector manifest.
  ~~Deals                []abi.DealID~~
	UpdateProofType      abi.RegisteredUpdateProof
	ReplicaProof         []byte
	Manifest             SectorManifest
}
type ProveReplicaUpdatesParams struct {
	Updates []ReplicaUpdate
}

func (Actor) ProveReplicaUpdate(params *ReplicaUpdateParams)

Storage market actor

The built-in market actor loses its privileged role (except for continued use of the Cron actor), and becomes just one of many possible market mechanisms that could be implemented as user contracts.

The basic SectorDeals map in state and SectorContentAdded method described below supports deals within the current restrictions of the market actor: deals cannot exceed their sector’s committed lifetime, the data cannot be moved between sectors, deals cannot be extended. Extension methods are outlined to show how this API can be extended to break those limitations in the future.

Deal negotiation

The built-in storage market actor is pre-authorized to act as a delegate for verified registry clients, and thus allocates and claims data cap according to the verified field already present in the deal proposal.

The current deal negotiation structures do not have space to communicate an existing data cap allocation ID, but it could be specified out of band.

State

type SectorDeals struct {
	SectorExpiration abi.ChainEpoch
	Deals            []abi.DealId
}
type State struct {
	// All existing state as today.

	// Maps sector IDs to deals, per storage provider.
	// This supports the actor keeping track of whether deals remain satisfied
	// as data moves between sectors in the future.
	SectorDeals cid.CID // HAMT[address.Address]AMT[abi.SectorNumber]SectorDeals

	// TODO: should we also write the deal's sector ID into the deal state?

	///// Extensions

	// A queue of sector IDs by their expiration epoch.
	// Records sectors for which the market must check if deals have been
	// re-commited to new sectors before the original one expires.
	// This supports the market accepting deals that have a term longer
	// than the lifespan of the sector they are originally sealed into.
	// No need to track where the deal fits inside a sector's lifespan:
	// the market will be explicitly notified if the sector terminates early.
	SectorExpirations cid.CID // AMT[abi.ChainEpoch]bitfield.Bitfield

}

Methods

The market actor becomes an example for other actors. While the deal-negotiation methods need not be standardised, the method/s by which the storage miner actor informs the market of changes to sector content must be standards.

// Publishing storage deals is unchanged.
// This method is NOT STANDARDISED across markets, as they may have
// different deal proposal structures.
func (Actor) PublishStorageDeals(params *PublishStorageDealsParams)

type PieceInfo struct {
	// The piece data commitment and size, verified by the miner actor.
	CID  CID
	Size PaddedPieceSize
	// Market-specific identifier for this piece, provided by the provider.
	// E.g. the deal ID which the provider claims this piece satisfies.
	// TODO: should we use a more flexibile []byte key?
	PieceID uint64
}
type SectorContentAddedParams struct {
	Sector     abi.SectorNumber
	Expiration abi.ChainEpoch
	Pieces     []PieceInfo
}
// Called by the miner actor when non-zero data is proven in a sector,
// either at initial PoRep, or with a replica update (Snap).
// Checks that the piece CID and size match the nominated deal, and consider
// the deal active if so.
// This replaces the current ActivateDeals.
// Without extensions, rejects attempts to satisfy a deal if the deal term
// is beyond the sector expiration.
// With state.SectorExpirations state member, can support deals with arbitrary terms.
// Note: will probably implement a batch version, single use shows for simplicity.
// TODO: add a generic return value to be threaded back through the miner
// to the caller?
// STANDARD METHOD: other market actors must implement the same method
// signature if they expect to receive calls from the miner actor when
// data is committed.
func (Actor) SectorContentAdded(params *SectorContentAddedParams)

type SectorTerminatedParams struct {
	Epoch   abi.ChainEpoch
	Sectors []abi.SectorNumber
}
// Called by the miner actor when a sector is terminated ahead of its
// scheduled expiration.
// Pending a mechanism for fine-grained event registrations, this is called
// for all unscheduled sector terminations, whether or not the sector holds
// a deal for this market (because the miner doesn't know).
// The market actor looks up the sector->deal map and marks any
// deals found as terminated (but defers further processing until cron).
// This replaces OnMinerSectorsTerminate().
func (a Actor) SectorTerminated(rt Runtime, params *OnMinerSectorsTerminate)

///// Extensions

// Note: we can immediately support deal extension up to the *original* 
// expiration of the sector with no further state (but a new market method).

type SectorExpirationChangedParams {
	Sector        abi.SectorNumber
	OldExpiration abi.ChainEpoch
	NewExpiration abi.ChainEpoch
	// TODO: add parameters for deals to extend at the same time?
}
// Called by the miner when a sector's expiration epoch is extended.
// Can support extending a deal up to the sector's *new* expiration.
// Note: will probably implement a batch version, single use shows for simplicity.
// STANDARD METHOD.
func (Actor) SectorExpirationChanged(params *SectorExpirationChangedParams)

// With state.SectorExpirations, can support deal extension to arbitrary terms,
// beyond a sector's currently committed lifespan, by the provider
// re-committing the same data into a new sector.
// Deal extension is a simple case of more general deal re-negotiation.
// Such methods are NOT STANDARDISED, and depend on individual market features.
// Details omitted here.

// If we make sector content updateable, a new SectorContentChanged
// method implicitly replaces any pieces not explicitly mentioned.
// In order to track pieces between sectors, either 
// (a) caller must also specify the previous sector ID for a piece, or
// (b) store deal sector ID in deal state object.
// STANDARD METHOD.
func (Actor) SectorContentUpdated(params *SectorContentUpdatedParams)

Control & data Flows

The standard end-to-end verified deal onboarding flow currently looks like this:

SP → Market.PublishStorageDeals
SP → Miner.PreCommitSector[Batch]
    Miner → Market.VerifyDealsForActivation
SP → Miner.ProveCommitSector[Aggregate]
    Miner → Market.ComputeDataCommitment
    Miner → Market.ActivateDeals

After this architecture, it looks like this:

[Optonal] Client → VerifReg.AllocateDataCap
SP → Market.PublishStorageDeals  (~vo)
    Market → VerifReg.AllocateDataCap  (~nv)
SP → Miner.PreCommitSector[Batch]
SP → Miner.ProveCommitSector[Aggregate]
    Miner → VerifReg.ClaimAllocation  (~nv)
    Miner → Market.SectorContentAdded  (~vo)

A client’s call to AllocateDataCap is necessary only if they have not delegated a market actor to allocate data cap on their behalf.

The storage provider passes the FIL+ allocation, market address, and deal IDs when proving a sector. The miner actor checks that these values match the sector content, and then passes them on as trusted values to the verified registry and market actors.

Frequent flows will be even simpler.

• For a deal that is not verified, the verified registry actor is not involved, so neither the client, market, nor the miner actor need to call to allocate or claim data cap. These calls are marked as (~nv)
• For a verified data cap without a deal, no market is involved, so the provider need not publish the deals nor call the market to inform it of the new committed content. These calls are marked as (~vo).

Migration

A state migration is required to realise this architecture in mainnet. Details to be fleshed out, but in brief:

• Move the sector→deal mappings from miner sector info to market actor
• Leave existing QA power, pledge, penalty values in place for existing sectors

Discussion

Limitations

• Only a single “market” contract and identifier supported for each piece, notified when committed. An intermediate contract could proxy for multiple markets, but clumsily. Should we support multiple notifiers per piece?

Extensions

These APIs are designed with extension to more powerful and flexible programmable storage in mind. In general these will require new methods to be added.

• Deal extension within sector lifespan
  • Extension of deal terms up to the end of a newly-extended sector commitment can be achieved after (or concurrent with) the miner calling market.SectorExpirationChanged. New methods on miner and/or market actor would be needed to support this.
• Deal extension beyond sector lifespan
  • Extension of deal terms, possibly indefinitely, can be made possible by committing the same deal data into a new sector. Additional parameters need to communicate which sector the piece is moving from (or recording sector id in deal state).
• Updatable sector content
  • Sector content is presently write-once, primarily due to restrictions imposed by the QA power mechanism. When we resolve those restrictions, miners can update the content in sectors after the initial seal or replica update. To support this safely, markets must be provided a notification whenever the content of a sector that is (was) supporting deals from that market changes. Something like the Miner->market registrations for fault handling in deal markets #265 proposal could achieve this, but requires some detailed design to find a good simplicity/efficiency trade-off.
• Transfer between providers
  • New methods could support the transfer of sector content between storage providers, with the appropriate notifications to market actors. Markets would set their own policy as to whether such transfer is permitted under the deal terms.
• Fault notifications.
  • Markets may wish to be notified when a sector becomes temporarily faulty. The miner→market registrations proposal may satisfy this need.
  • The FIL+ premium proposal also requires this.
• Async sector content proofs, with new piece inclusion proof
  • At present, a miner must activate deals synchronously with proving the sector content. This is because the unsealed sector CID (”CommD”) is not stored on chain, but is required in order to demonstrate the inclusion of any specific data within the sector. Future work may provide an inclusion proof that can be evaluated after sealing in order to demonstrate to a market (or the verified registry actor) that a provider is storing some data some time after the sector is sealed.

The prior version of this post is available inside this expander.

# Abstract

This proposal is a refactoring of the APIs and interactions between the storage miner actor, built-in storage market actor, and verified registry actor (FIL+) to provide a platform for alternative storage markets, incentive schemes, and other sector-content-related applications to be built on the FVM.

The thrust of the architecture is a decoupling and separation of concerns between the three actors. Notable points include:

• Both clients and miner actors interact with the verified registry directly to allocate and claim data cap allowances. The market actor is no longer involved or informed.
• The market actor is no longer trusted to calculate the sector data commitment, quality-adjusted power, or other consensus inputs. The miner actor takes all trusted computations.
• Storage provider operators specify deal metadata at PoRep instead of fetching it from the market contract at sector pre-commit. The miner actor forwards it to the market. Deal metadata is really just piece metadata, which could be for a market or any other application.
• The market actor is informed of piece commitments into sectors, but has no power to deny them. Other actors could similarly be informed of changes to sector content.

This proposal is complementary to miner←→market registrations, and likely requires such a mechanism to safely support multiple markets if/when we support updateable sector content. Changing the pre-commit deposit is also a pre-requisite.

Edits:

• 2022-02-24: miner commits to unsealed CID at pre-commitment, to prevent grinding
• 2022-02-25: fix market deal ID to be uint64 everywhere

Motivation

High level motivation for why to provide a platform for alternative storage markets and other content-related contracts is given in #241.

We need to change the storage market contract architecture because the current structure does not provide the information and hooks that would be needed by new applications to implement storage-deal-like functionality. It privileges the built-in market actor as the one which the storage miner actor consults. In order to enable the development of actually-useful storage-related applications and features, we need to break the tight coupling between these built-in actors, expose composable on-chain primitives, and make the capabilities of the built-in market actor available to user-programmable contracts.

Goals of this architecture proposal include:

• Remove any trust in the built-in market actor, or any user-programmed market actor, for network-critical things like storage power. Markets are responsible only for maintaining their own internal state and application policies.
• Prepare a path to the implementation of features like deal renewal/extension and transfer without significant changes to built-in actors’ APIs.
• Support development of alternative markets, including ability to broker deals for verified data.
• Retain the current economic structures, incentive, pledge requirements etc.
• Be compatible with future changes in the direction of Filecoin Plus premium.

It will be more-or-less impossible to remove or change any exposed API after the first user-programmed contracts are deployed to the Filecoin mainnet, without breaking them. Thus, we should be quite conservative in what we expose, as it will bind us for a long time. Please review this proposal with a careful eye for unwanted lock-in that would prohibit reasonably foreseeable use cases.

Specification

I propose first new APIs for the built-in miner, market, and registry actors, followed by a description of the call sequences to achieve the primary use cases. These APIs only include the methods related to storage onboarding and deals. Assume the remainder of these actors’ APIs remain as-is.

This proposal is written assuming no other changes to core mechanisms.

• Sector content is write-once, not repeatedly updateable
• Filecoin Plus verified data cap has no explicit term limit (but implicitly limited by sector lifespan)

The architecture can be adapted to handle each of these changes. In practise, we should strive to coordinate any change in those policies with implementation of this architecture.

Storage miner actor

State

The miner actor no longer persists deal IDs in state at all.

// Sector pre-commit no longer references deals.
type SectorPreCommitOnChainInfo struct {
	SealProof       abi.RegisteredSealProof
	SectorNumber    abi.SectorNumber
	UnsealedCID		cid.Cid // CommD
	SealedCID       cid.Cid // CommR
	SealRandEpoch   abi.ChainEpoch
	Expiration      abi.ChainEpoch	
	// Also drop deprecated replace-sector fields.

	PreCommitDeposit   abi.TokenAmount
	PreCommitEpoch     abi.ChainEpoch
	DealWeight         abi.DealWeight // Assuming no changes to FIL+
	VerifiedDealWeight abi.DealWeight // Assuming no changes to FIL+
}

// Sector info no longer references deals either.
type SectorOnChainInfo struct  {
	SectorNumber          abi.SectorNumber
	SealProof             abi.RegisteredSealProof
	SealedCID             cid.Cid // CommR

	Activation            abi.ChainEpoch  
	Expiration            abi.ChainEpoch  
	DealWeight            abi.DealWeight // Assuming no changes to FIL+ 
	VerifiedDealWeight    abi.DealWeight // Assuming no changes to FIL+
	InitialPledge         abi.TokenAmount 
	ExpectedDayReward     abi.TokenAmount 
	ExpectedStoragePledge abi.TokenAmount 
	ReplacedSectorAge     abi.ChainEpoch  // Can deprecate 140 days after nv15
	ReplacedDayReward     abi.TokenAmount // Can deprecate 140 days after nv15
	SectorKeyCID          *cid.Cid
}

Methods

Deal IDs are no longer specified at sector pre-commitment. Instead, the pieces of data that comprise a sector’s data are declared as a “manifest” when the replica or update is proven.

The pre-commit deposit must be changed to a value that is independent of sector content. We set it to the 20-day expected reward from a fully-verified sector (i.e. 200-day reward of a CC sector). This is still less that the initial pledge, for all sectors. This is a separate, pre-requisite proposal #290.

The miner must commit to the both the sealed and unsealed CIDs at pre-commit. At PoRep it then checks that the unsealed CID matches that computed from the piece CIDs (and an optional implicit zero piece for padding), and the PoRep/SnapDeals proof verifies it corresponds to the sealed CID also committed earlier.

Each piece may specify a market contract address and market-specific identifier which it satisfies. The miner will synchronously notify that market address that the piece has been committed. The miner will pay no attention to the success or otherwise of that notification to the market: the sector will be committed regardless. Note that there is no requirement for the actor that is so notified to be some kind of marketplace: it is just a contract that is notified when the piece is committed.

Each piece may also declare a FIL+ verified data cap allocation ID that it satisfies. The miner actor will claim that allocation directly from the verified registry actor and, if successful, calculate quality-adjusted power according to the piece’s size. (There is an unresolved question about the term for data cap and associated power boost, omitted here).

// No deals specified during pre-commit.
type SectorPreCommitInfo struct {
	SealProof       abi.RegisteredSealProof
	SectorNumber    abi.SectorNumber
	UnsealedCID	cid.Cid // CommD
	SealedCID       cid.Cid // CommR
	SealRandEpoch   abi.ChainEpoch
	Expiration      abi.ChainEpoch
}
type PreCommitSectorBatchParams struct {
	Sectors []SectorPreCommitInfo
}
func (Actor) PreCommitSectorBatch(params *PreCommitSectorBatchParams)

// Sector content is declared at PoRep.
// (Previously, this data was fetched from the built-in market actor)
type SectorManifest struct {
	SectorNumber uint64
	// Declaration of pieces that make up the sector data.
	// Implicit "zero" piece to fill remaining capacity need not be specified.
	Pieces       []PieceManifest
}
type PieceDataManifest struct {
	PieceCID                 cid.CID // CommP
	Size                     PaddedPieceSize
	// Each piece may specify a FIL+ verified data cap allocation ID, for power boost.
	VerifiedDataAllocationID uint64 // Optional
	// Each piece may specify a market contract and deal ID to notify on commitment.
	MarketAddress            address.Address // Optional (for deals)
	MarketPieceID            uint64 // Deal ID, optional
}

type ProveCommitAggregateParams struct {
	SectorNumbers  bitfield.BitField
	AggregateProof []byte
	// Declaration of data for each non-empty sector.
	Manifests      []SectorManifest
	
}
func (Actor) ProveCommitSectorAggregate(params *ProveCommitAggregateParams)

// Deals are replaced by sector manifest.
type ReplicaUpdate struct {
	SectorID             abi.SectorNumber
	Deadline             uint64
	Partition            uint64
	NewSealedSectorCID   cid.Cid // CommR
	UpdateProofType      abi.RegisteredUpdateProof
	ReplicaProof         []byte
	Manifest             SectorManifest
}
type ProveReplicaUpdatesParams struct {
	Updates []ReplicaUpdate
}

func (Actor) ProveReplicaUpdate(params *ReplicaUpdateParams)

Verified registry actor

The verified registry actor now tracks data cap allocations in state explicitly, since it no longer trusts the market actor to do so alongside storage deals. Verified clients allocate data cap to a specific piece of data prior to making any deals for it, or with a signed message attached to a deal. No deal is necessary, though. A verified data allocation may be claimed by a provider that has committed matching data without regard to any storage market arrangements.

The code below does not address the term (time period) for a data cap allocation, which is now independent of any storage market deals. We may add an explicit term or limit, in which case the verified registry actor would likely also maintain state for each active allocation claim.

State

type State struct {
	// All existing state remains, including verifiers and verified clients'
	// un-used data caps.

	// Data cap allocations indexed by verified client address and allocation ID.
	// New allocations are stored here, and removed when either claimed or expired.
	Allocations cid.Cid // HAMT[address.Address]AMT[AllocationID]DataCapAllocation

	// Unique identifier for the next allocation to be issued.
	NextAllocationID AllocationID

	// Tracks allocations that have not yet reached their expiration
	// (whether claimed or not).
	// Ensures that providers can't claim the same allocation twice.
	PendingAllocations cid.Cid // Set[AllocationCid]

	// TODO: Possibly add a record for each active claim of data cap.
	// Necessary if we add term limits.
}

type AllocationID uint64

// Parameters for a single allocation.
// The client address and ID are absent since present in the HAMT key.
type DataCapAllocation struct {
	// Data and size for which the allocation is valid.
	PieceCID cid.CID
	Size     abi.PaddedPieceSize
	// Sole provider for which the allocation is valid (optional).
	Provider address.Address
	// Epoch before which this allocation must be claimed.
	Expiration abi.ChainEpoch
	// Opaque discriminator to distinguish multiple allocations
	// for the same data.
	Label []byte
}

Methods

Verified clients make explicit allocations for data cap with the verified registry actor. A client may make multiple allocations for the same piece (for distinct replicas), but each consume additional data cap.

The miner actor calls to the verified registry actor directly to claim data cap.

type AllocateDataCapParams struct {
	Allocations []DataCapAllocation
}

// Called by a verified client to allocate some of its data cap allowance
// to specific pieces and providers.
func (Actor) AllocateDataCap(params *AllocateDataCapParams)

// Data cap allocations signed by the client making the allocations.
// This allows a provider to submit allocations during storage onboarding,
// rather than requiring the client to make allocations on-chain beforehand.
// Similar to the built-in market's ClientDealProposal.
type AllocationCertificate struct {
	Allocations []DataCapAllocation
	Client address.Address	
	// Signature of client over the allocations.
	ClientSignature crypto.Signature 
}
type PublishAllocationsParams struct {
	Certificates []AllocationCertificate
}
// Called by a provider to publish data cap allocation certificates provided
// to it by clients.
// Publishing in advance of claiming ensures the client has the necessary
// data cap to satisfy them.
func (Actor) PublishAllocations(params *PublishAllocationsParams) 

type GetAllocationParams struct {
	Client     address.Address
	Allocation AllocationID
}
// Fetches an un-claimed, un-expired allocation.
// Not used by other actors, but for inspection by off-chain parties.
// NOTE: probably implement a batch version
func (Actor) GetAllocation(params *GetAllocationParams) *DataCapAllocation

type RevokeExpiredAllocationsParams struct {
}
// Cleans up all expired allocations.
// The data cap for cleaned-up allocations is returned to the client.
// Note that un-expired allocations cannot be revoked.
func (Actor) RevokeAllocations(params *RevokeExpiredAllocations)

// Each sector may make multiple claims for different pieces
type AllocationClaim struct {
	Allocation AllocationID
	PieceCID   cid.Cid
	Size       abi.PaddedPieceSize
}
type SectorAllocationClaim struct {
	// The sector ID is not (yet) used by the registry actor.
	// It's passed here in preparation for future use if verified data rewards
  // are processed in this actor directly.
	SectorID abi.SectorNumber
	// Pre-registered allocations claimed by this sector.
	Claims []AllocationClaim
	// Certificates for new allocations claimed by this sector.
	Certificates []AllocationCertificate
}
type ClaimAllocationsParams struct {
	Sectors []SectorAllocationClaim
}

type SectorClaimResult {
	// The IDs of allocation claims that succeeded.
	SuccessfulClaims []AllocationID
	// The allocation ID and piece specification for certificates successfully redeemed.
	SuccessfulCertificates []AllocationClaim
}
type ClaimAllocationsResult struct {
	// Sector results parallel to ClaimAllocationsParams.Sectors
	SectorResults []SectorClaimResult
}

// Called by storage miner actor to claim allocations for data
// provably committed to storage.
// For each allocation claim, the registry checks that the provided piece CID
// and size match that of the allocation.
// For each certificate, the registry allocates the data cap immediately,
// if possible.
func (Actor) ClaimAllocations(params *ClaimAllocationsParams) *ClaimAllocationsResult

Storage market actor

The built-in market actor loses its privileged role (except for continued use of the Cron actor), and becomes just one of many possible market mechanisms that could be implemented as user contracts.

The basic SectorDeals map in state and SectorContentAdded method described below supports deals within the current restrictions of the market actor: deals cannot exceed their sector’s committed lifetime, the data cannot be moved between sectors, deals cannot be extended. Extension methods are outlined to show how this API can be extended to break those limitations in the future.

Deal negotiation

A client must provide information about verified data allocations to the provider, since the (market-specific) deal proposal is no longer reliable. The provider can check with the verified registry actor that an allocation is valid, or publish certificate to the chain either eagerly or lazily.

// The VerifiedDeal field in a deal proposal is deprecated.
// The market actor is no longer involved in verified data cap allocation.
// The field remains only for structural backwards compatibility with 
// existing off-chain negotiation protocols.
type DealProposal {
	// All fields as today.
	VerifiedDeal bool // Must be always false
}

// This is the off-chain storage deal proposal request,
// from client to provider when proposing a deal.
// New fields that identify any verified data cap allocation.
type Proposal struct {
	// Existing fields remain
	DealProposal  *market.ClientDealProposal
	Piece         *storagemarket.DataRef
	FastRetrieval bool
	// New fields. Either allocation ID or certificate may be provided.
	VerifiedDataAllocationID          verifreg.AllocationID
	VerifiedDataAllocationCertificate verifreg.AllocationCertificate
}

State

type SectorDeals struct {
	SectorExpiration abi.ChainEpoch
	Deals            []abi.DealId
}
type State struct {
	// All existing state as today.

	// Maps sector IDs to deals, per storage provider.
	// This supports the actor keeping track of whether deals remain satisfied
	// as data moves between sectors in the future.
	SectorDeals cid.CID // HAMT[address.Address]AMT[abi.SectorNumber]SectorDeals

	// TODO: should we also write the deal's sector ID into the deal state?

	///// Extensions

	// A queue of sector IDs by their expiration epoch.
	// Records sectors for which the market must check if deals have been
	// re-commited to new sectors before the original one expires.
	// This supports the market accepting deals that have a term longer
	// than the lifespan of the sector they are originally sealed into.
	// No need to track where the deal fits inside a sector's lifespan:
	// the market will be explicitly notified if the sector terminates early.
	SectorExpirations cid.CID // AMT[abi.ChainEpoch]bitfield.Bitfield

}

Methods

The market actor becomes an example for other actors. While the deal-negotiation methods need not be standardised, the method/s by which the storage miner actor informs the market of changes to sector content must be standards.

// Publishing storage deals is unchanged except that the VerifiedDeal
// flag in the deal proposal must be false.
// This method is NOT STANDARDISED across markets, as they may have
// different deal proposal structures.
type PublishStorageDealsParams struct {
 	Deals []ClientDealProposal
}
type PublishStorageDealsReturn struct {
	IDs []abi.DealID
	ValidDeals bitfield.BitField
}
func (Actor) PublishStorageDeals(params *PublishStorageDealsParams)

type PieceInfo struct {
	// The piece data commitment and size, verified by the miner actor.
	CID  cid.Cid
	Size abi.PaddedPieceSize
	// Market-specific identifier for this piece, provided by the provider.
	// E.g. the deal ID which the provider claims this piece satisfies.
	// TODO: can we find a more generic name than "deal"?
	// TODO: should we use a more flexibile []byte key?
	DealID uint64
}
type SectorContentAddedParams struct {
	Sector     abi.SectorNumber
	Expiration abi.ChainEpoch
	Pieces     []PieceInfo
}
// Called by the miner actor when non-zero data is proven in a sector,
// either at initial PoRep, or with a replica update (Snap).
// Checks that the piece CID and size match the nominated deal, and consider
// the deal active if so.
// This replaces the current ActivateDeals.
// Without extensions, rejects attempts to satisfy a deal if the deal term
// is beyond the sector expiration.
// With state.SectorExpirations state member, can support deals with arbitrary terms.
// Note: will probably implement a batch version, single use shows for simplicity.
// TODO: add a generic return value to be threaded back through the miner
// to the caller?
// STANDARD METHOD: other market actors must implement the same method
// signature if they expect to receive calls from the miner actor when
// data is committed.
func (Actor) SectorContentAdded(params *SectorContentAddedParams)

type SectorTerminatedParams struct {
	Epoch   abi.ChainEpoch
	Sectors []abi.SectorNumber
}
// Called by the miner actor when a sector is terminated ahead of its
// scheduled expiration.
// Pending a mechanism for fine-grained event registrations, this is called
// for all unscheduled sector terminations, whether or not the sector holds
// a deal for this market (because the miner doesn't know).
// The market actor looks up the sector->deal map and marks any
// deals found as terminated (but defers further processing until cron).
// This replaces OnMinerSectorsTerminate().
func (a Actor) SectorTerminated(rt Runtime, params *OnMinerSectorsTerminate)

///// Extensions

// We can immediately support deal extension up to the *original* expiration of
// the sector with no further state.

type SectorExpirationChangedParams {
	Sector        abi.SectorNumber
	OldExpiration abi.ChainEpoch
	NewExpiration abi.ChainEpoch
}
// Called by the miner when a sector's expiration epoch is extended.
// Can support extending a deal up to the sector's *new* expiration.
// Note: will probably implement a batch version, single use shows for simplicity.
// STANDARD METHOD.
func (Actor) SectorExpirationChanged(params *SectorExpirationChangedParams)

// With state.SectorExpirations, can support deal extension to arbitrary terms,
// beyond a sector's currently committed lifespan, by the provider
// re-committing the same data into a new sector.
// Deal extension is a simple case of more general deal re-negotiation.
// Such methods are NOT STANDARDISED, and depend on individual market features.
// Details omitted here.

// If we make sector content updateable, a new SectorContentChanged
// method implicitly replaces any pieces not explicitly mentioned.
// In order to track pieces between sectors, either 
// (a) caller must also specify the previous sector ID for a piece, or
// (b) store deal sector ID in deal state object.
// STANDARD METHOD.
func (Actor) SectorContentUpdated(params *SectorContentUpdatedParams)

Control & data Flows

The standard end-to-end verified deal onboarding flow currently looks like this:

SP → Market.PublishStorageDeals
SP → Miner.PreCommitSector[Batch]
    Miner → Market.VerifyDealsForActivation
SP → Miner.ProveCommitSector[Aggregate]
    Miner → Market.ComputeDataCommitment
    Miner → Market.ActivateDeals

After this architecture, it looks like this:

Client → VerifReg.AllocateDataCap [Alternatively, EOA clients can provide a certificate during deal negotiation]
SP → Market.PublishStorageDeals
SP → Miner.PreCommitSector[Batch]
SP → Miner.ProveCommitSector[Aggregate]
    Miner → VerifReg.ClaimAllocation
    Miner → Market.SectorContentAdded

The storage provider specifies the FIL+ allocation and deal IDs when proving a sector. The miner actor checks that these values match the sector content, and then passes them on as trusted values to the verified registry and market actors.

Frequent flows will be even simpler.

• For a deal that is not verified, the verified registry actor is not involved, so neither the client nor the miner actor need call to allocate or claim data cap.
• For a verified data cap without a deal, no market is involved, so the provider need not publish the deals nor call the market to inform it of the new committed content.

Migration

A state migration is required to realise this architecture in mainnet. Details to be fleshed out in a FIP, but in brief:

• Move the sector→deal mappings from miner sector info to market actor
• Populate market’s sector expiration queue
• Leave existing QA power, pledge, penalty values in place for existing sectors

Discussion

Some non-obvious implications of this architecture.

• Separating FIL+ verified deals from the storage market leaves verified data cap without an explicitly defined term. In the basic case, data cap allocations will remain bound by the maximum lifespan of the sector into which the data is sealed (but that’s still 3x longer than the current bound of 540 days). This policy needs to be analysed carefully and we may introduce an explicit term limit for data cap.
• Since FIL+ verified deals are decoupled from the market, there is no need to make a “free” storage deal for data that a provider is willing to store only for its QA power benefits. It’s sufficient for a verified client to allocate the data cap. The provider may then commit the data into a sector and claim the data cap without interacting with any storage market.
  A storage market deal is only necessary when the client intends to pay funds above the block reward boost the provider will earn.

Compatibility

Changes the off-chain deal negotiation protocol to support the client demonstrating a data cap allocation.

Extensions

These APIs are designed with extension to more powerful and flexible programmable storage in mind. In general these will require new methods to be added.

• Support for deal extension
  • Extension of deal terms, possibly indefinitely, can be made possible by committing the same deal data into a new sector. A sketch of these methods is provided above
• Updateable sector content
  • Sector content is presently write-once, primarily due to restrictions imposed by the QA power mechanism. When we resolve those restrictions, miners can update the content in sectors after the initial seal or replica update. To support this safely, markets must be provided a notification whenever the content of a sector that is (was) supporting deals from that market changes. Something like the miner→market registrations proposal could achieve this, but requires some detailed design to find a good simplicity/efficiency trade-off.
• Transfer between providers
  • New methods could support the transfer of sector content between storage providers, with the appropriate notifications to market actors. Markets would set their own policy as to whether such transfer is permitted under the deal terms.
• Fault notifications.
  • Markets may wish to be notified when a sector becomes temporarily faulty. The FIL+ premium proposal also requires this. The miner→market registrations proposal may satisfy this need.
• Async sector content proofs, with new piece inclusion proof
  • At present, a miner must activate deals synchronously with proving the sector content. This is because the unsealed sector CID (”CommD”) is not stored on chain, but is required in order to demonstrate the inclusion of any specific data within the sector. Future work may provide an inclusion proof that can be evaluated after sealing in order to demonstrate to a market (or the verified registry actor) that a provider is storing some data some time after the sector is sealed.

[hannahhoward]

First some smaller comments:

type AllocationClaim struct {
	Allocation AllocationID
	PieceCID   cid.Cid
	Size       abi.PaddedPieceSize
}

DataCapAllocation already contains the PieceCID why does it live here as well?

type PieceInfo struct {
	// The piece data commitment and size, verified by the miner actor.
	CID  cid.Cid
	Size abi.PaddedPieceSize
	// Market-specific identifier for this piece, provided by the provider.
	// E.g. the deal ID which the provider claims this piece satisfies.
	// TODO: can we find a more generic name than "deal"?
	// TODO: should we use a more flexibile []byte key?
	DealID uint64
}

for Market.SectorContentAdded uses a uint64

while

type PieceDataManifest struct {
	PieceCID                 cid.CID // CommP
	Size                     PaddedPieceSize
	// Each piece may specify a FIL+ verified data cap allocation ID, for power boost.
	VerifiedDataAllocationID uint64 // Optional
  // Each piece may specify a market contract and deal ID to notify on commitment.
	MarketAddress            address.Address // Optional (for deals)
	MarketPieceID            address.Address // Deal ID, optional
}

for Market.ProveCommitSector uses address.Address (i.e. []byte)

I think it should definitely be a []byte, unless uint64 is just a convenient way of restricting the size to 8 bytes.

3. That is a seperate and interesting question -- how much data do we allow markets to store in these identifiers?

[anorth]

Thanks for the thorough review!

DataCapAllocation already contains the PieceCID why does it live [in AllocationClaim] as well

AllocationClaim is a parameter type, rather than state type. The PieceCID in the AllocationClaim is provided by the miner operator when proving a sector. The operator is not trusted. The miner code checks that the piece CID was indeed included in in the sector CommD/R but it can't independently verify that the PieceCID matches the allocation the operator claims it it satisfying. So the PieceCID is passed on to the registry actor to verify.

// For each allocation claim, the registry checks that the provided piece CID and size match that of the allocation.

[anorth]

The deal ID type is inconsistent... how much data do we allow markets to store in these identifiers?

Oops, I meant to use uint64 everywhere, thanks. I've left a TODO to consider []byte instead, as you suggest. The flexibility could be good, but a little overhead for the very likely common case of using integers.

[hannahhoward]

Larger comments relating to verified data cap seperation from market actor and the deal flow:

1. VerifReg.AllocateDataCap gets called very early in the flow, we we have no specified revocation method. Presumably, it must be presented near the very beginning of deal negotiation. Previously this commitment wouldn't have happened until PublishStorageDeals which is farther in the process (and with a higher provider commitment cause they're locking funds in the market actor). Let's say the provider just says "no" to the deal proposal.

   • assuming everyone's being acting benevolently, the provider in that case would not call Verifreg.PublishAllocations -- the client's data cap is unaffected and the allocation just sort of sits around as unused state in the VerifReg actor till it expires -- is this correct?
   • perhaps a client should be able to revoke an allocation until PublishAllocations is called?
   • I guess if no provider address is specified the allocation can be reused in a proposal to a different provoider?
   • when does a benevelont provider call Verifreg.PublishAllocations? I think it's right before they call Market.PublishStorageDeals, after data transfer? Seems reasonable. What happens if someone else already published it? (if no provider address was specified)
   • is there a problem if the malicious provider calls PubishAllocations immediately then just throws out the proposal? Now the clients data cap is locked and used till the claim expiration. I guess it's not of much use to the provider unless they actually get the data and seal it?
   • if I send a provider a Proposal (with AllocationCertificate) and my data, they can now just use it without ever publishing to a market actor I think. Is this a problem? Presumably the provider is just hurting themselves by not accessing that market actor's payment mechanisms.

2. This is significant work to change whatever markets libraries are in heavy use when this goes live. I think that will be mostly filclient/Boost. Unless we want to actually make all the verified data steps live outside the markets process entirely (probably not a good idea). Probably good to have @dirkmc 's eyes on this.

[anorth]

perhaps a client should be able to revoke an allocation until PublishAllocations is called

There is no revocation mechanism for published but unexpired allocations, by design. If there were, a provider could not trust that the client won't revoke the allocation after doing all the work to fetch and possibly seal the data. This does leave open the possibility of a provider griefing a client a little by leaving the data cap locked until the allocation expires.

client's data cap is unaffected and the allocation just sort of sits around ... till it expires

One point that may not have been clear: either the client calls AllocateDataCap, or the provider calls PublishAllocations with a certificate provided to it by the client. After either one of those, the provider is ready to claim the allocation by proving the data commitment.

In what I expect will be the common case, the provider gets certificates that nominate that provider explicitly and, if acting benevolently, just doesn't publish them if it doesn't intend to claim them. The data cap is never locked, the client is free to re-allocate to another provider. The reason to publish them is to get a timelock on the client's commitment while the provider does the data shuffling.

In case the client called AllocateDataCap instead, then yes the allocation would sit around until expiration.

if no provider address is specified the allocation can be reused in a proposal to a different provider

For "no-provider" allocations, I would expect a client to call AllocateDataCap, thus publishing the allocation to the world in one fell swoop. That functions somewhat like a bounty, and at that point it's a race for the first provider to provably commit the data to claim the allocation. I haven't attempted to design the dynamics of how a provider might decide to try to take such a bounty, but I expect there's an equilibrium where they don't try but lose that race very often.

A no-provider certificate could be signed and published somewhere else, perhaps to a small group. That would set off the same race.

I could be convinced no-provider allocations are a bad idea, but seemed to me to be an expedient way to implement a bounty mechanism.

when does a benevolent provider call Verifreg.PublishAllocations? before they call Market.PublishStorageDeals, after data transfer? ... if I send a provider a Proposal (with AllocationCertificate) and my data, they can now just use it without ever publishing to a market actor.

For all of the deals that are today verified but specify zero storage fee, no market deal is required at all and the provider need never call PublishStorageDeals. The only reason to go to the trouble and cost of publishing a deal is for the client to pay an additional amount, above the quality-adjusted power subsidy. So yes, both your sequencing is accurate (if there is a deal) and also the market interaction sometimes becomes unnecessary.

[anorth]

@hannahhoward both of your concerns ended up solved upstream in the implementation sketch for #313, by the realisation we could model FIL+ data cap as a fungible token and then use the relatively common practise of authorizing delegates to act on behalf of token holders. If the built in market (or other market actor) is authorized as a delegate for FIL+ clients, it can continue to mediate the allocation of data cap so that (1) we don't need explicit pre-allocation and (2) we don't need to change deal negotiation.

[anorth]

I have updated the original post here to reflect a design based on #313 as a prerequisite. The result is much simpler all round. #313 makes all the necessary changes to FIL+. Modelling data cap as a fungible token, with market actors acting as delegates, also removed the need to change off-chain deal negotiation protocol.

The result is a relatively small change to the interactions between built-in actors, but the major work ecosystem-wide will be changes to how SPs and clients interact.

I want to explore the possibility of making this in a backwards-compatible way, such that we could expose new APIs while leaving the old flows working for a bit. The implementation sketch for #313 does this for data cap, it would be attractive to try to continue it.

[anorth]

FIP-0045 dropped the concept of ranges that can support FIL+ allocations for pieces that are larger than a single sector. One reason for dropping it is that it wouldn't actually be usable until coupled with some API changes like those necessary for this proposal. So when implementing this one, we should consider bringing ranges back into scope here. See #313 (comment)

[anorth]

Another piece initially in FIP-0045 scope but removed was support for re-committing a piece of verified data that was lost, re-claiming the power boost. See #313 (comment)

[ZenGround0]

Updateable sector data, sector expiration changes and movement of data between sectors are all operations that will need to load the sector info. It makes sense to set sector-wide permissions on the sector info based on the piece manifests being committed to.

For example a deal that does not want data to stick around past the deal will set Extendable permission to false. Subsequent extensions will check permissions and fail. A deal that doesn't care which miner has the data will set Moveable permission to true. Move operations will check permissions and succeed. AllowUpdatePastEpoch permissions would let piece manifests enforce no data updates until their deal is finished.

We could do this in aggregate at a higher level. For example keep a bunch of permission sets in the miner state. Sectors with immutable data are kept in one bitfield, sectors with data that can move across sectors are kept in another bitfield etc. But since the relevant operations should always load the sector info it's probably better to put permissions there directly.

[ZenGround0]

As long as SectorContentAdded passes over the permissions markets can check these and accept or reject the deal on their side.

[ZenGround0]

The market actor is informed of piece commitments into sectors, but has no power to deny them

Actually if we go down this route we'll want to revisit this. If we keep it as is then market actors will be unable to gate FIL+ allocations beyond the existing FIL+ checks. It seems like markets should reasonably be able to grant FIL+ to sectors only obeying the correct permissions.

[scotthconner]

Quick question to help me understand a bit: why is there an execution coupling between the sealing/committing the sector, and the market actors? The pub-sub issue as you mentions is clumsy. Why can't the market come back on behalf of a user, check state, and do something about it via a subsequent on-chain transaction? Having to multi-plex could cause scalability, gas, or execution concerns if somehow the pub/sub on a miner action invoked 100 contracts.

Am I understanding this right?

[jennijuju]

I think you are on the right direction & decoupling miner and market is one of the the main goal of this.
We still wanna be able to track deal status one way or another in the sector given they impact the power - so we need a standard to let the miner actor know how to get the deal information (size and duration) and confirm what’s stored and reward accordingly.
Imho it also still provides a fallback/fundamental way for us to address content in the network

[scotthconner]

Thanks, I think I know where you're getting. Since power management is separate from things like, rewards on deals in user-land, I'm positing that instead of providing an execution-callback to user-land smart contracts, let the smart contracts read the state as part of a separate transaction. Potentially, ensuring more end to end automation might be a task for say, safecron and not having the protocol spend gas to power market contracts when publishing deals.

Does that make sense? Maybe its soup.

[anorth]

The reason for the execution coupling is because the commitment to the data in the sector (unsealed CID, aka CommD) is not stored on chain. The only time it is available to actors is in memory during the execution of the ProveCommit or ReplicaUpdate operation. The market can't come back later to check because it's not there.

The first answer to why the CommD is not stored on chain is that it's big. Storing CommD for every sector would nearly double the size of the Filecoin state tree; it's dominated already by the similarly sized sector replica commitments (CommR).

However, we can do better. @ZenGround0 has some solid ideas in #496, and I expect we'll implement some variant as part of this programmable markets effort.