Problem statement
Implement a maximum unaggregated fees trigger (that is larger than the trigger for RAV request) over which business with a sender is to be denied.

Expectation proposal
Adding:

• A new unaggregated fees trigger for sender denial
• A sender deny list in DB
• PG notifications to quickly inform the indexer-service instances of adding/removal from the deny list

Indexer management client is required to resolve queries to Indexer DB.
In indexer-service, the requirement for indexer management client is to serve queries to cost models.

• create IndexerManagementClient and add to ServerOptions
• define IndexerManagementModels to include CostModelModels
• allow sql queries of Cost Model to the client

Since the merge of #47, we can start preparing for some very basic integration tests. What's missing:

• #49 Handling of the receipt aggregate requests. So for now the receipts would just get stored and nothing happens. The "tap_receipts" DB migrations would have to be run by hand for the indexer-service to be happy (the indexer_tap_agent would take care of the migrations, following the existing logic for the other components).
• #50 Handling of the RAVs in indexer-agent when it's time for the indexer to redeem their query fees

Subgraph queries panic early when attempting to use the QUERY_DURATION metric.

thread 'tokio-runtime-worker' panicked at 'called `Result::unwrap()` on an `Err` value: InconsistentCardinality { expect: 2, got: 1 }', /home/theodus/.cargo/registry/src/index.crates.io-6f17d22bba15001f/prometheus-0.13.3/src/vec.rs:258:49
...
at /home/theodus/src/edgeandnode/local-network/build/graphops/indexer-service-rs/service/src/server/routes/subgraphs.rs:40:32

QUERY_DURATION is declared with the expectation of 2 labels, deployment & name, here. But only deployment is set here. I would have just fixed this, but I'm not sure what the name label is supposed to be populated with.

          That's a good point. Is our thinking so far that the RAV request threshold is per `(sender, allocation)`? From a user (i.e. indexer) perspective, that doesn't feel very intuitive. More intuitive would indeed be: "per sender, I'm willing to run a risk of X GRT remaining uncollectable". That would also open the door to per-sender risk thresholds.

Originally posted by @Jannis in #83 (comment)

Problem statement
There's only 3 fields in the metrics tracked. It would be good to have flexibility in this struct so we can add more metrics for individual data services instead of hosting a separate metrics service.

pub struct IndexerServiceMetrics {
    pub requests: IntCounterVec,
    pub successful_requests: IntCounterVec,
    pub failed_requests: IntCounterVec,
}

Expectation proposal

Generic type/field added to IndexerServiceMetrics and function to register more metrics.

Alternative considerations
We can have a separate metrics server on the data service level, but that structure seems a bit convoluted for the data providers.

While multi-network support has landed for indexer-agent, it hasn't yet for indexer-service.
So no rush there yet.

The /status route seems to be returning a JSON string value of the expected response body. Example:

"{\"data\":{\"indexingStatuses\":[{\"subgraph\":\"QmNmVRCM39PKPXqC9HNFSGW9WQWzDTWUEmpLktAd26vYCQ\",\"chains\":[{\"network\":\"hardhat\",\"latestBlock\":{\"number\":\"599\",\"hash\":\"cd3e683d1b9c8829f21b0a0c39a00ec4ec67fdb38756fcf4a275121de177ba9b\"},\"earliestBlock\":{\"number\":\"0\",\"hash\":\"0x0\"}}]},{\"subgraph\":\"QmRR4o5jApp3v7Wcym6o8dXJtBo2chnxDyFyKt12nK6eTE\",\"chains\":[{\"network\":\"hardhat\",\"latestBlock\":{\"number\":\"2265\",\"hash\":\"ca89f224b4e310a790266b94608e270b01072e514c2a5ec70f4ddf580837bc64\"},\"earliestBlock\":{\"number\":\"0\",\"hash\":\"0x0\"}}]},{\"subgraph\":\"QmeVg9Da6uyBvjUEy5JqCgw2VKdkTxjPvcYuE5riGpkqw1\",\"chains\":[{\"network\":\"hardhat\",\"latestBlock\":{\"number\":\"2312\",\"hash\":\"64272c37ada8842f1dec2fb0e7ee2f5e43684d0c1080b791223aa100ad194174\"},\"earliestBlock\":{\"number\":\"0\",\"hash\":\"0x0\"}}]},{\"subgraph\":\"QmTcYL6jsUDW2y8QE4zre7jgS26qen7PCURSdymsaVL9cG\",\"chains\":[{\"network\":\"hardhat\",\"latestBlock\":{\"number\":\"2312\",\"hash\":\"64272c37ada8842f1dec2fb0e7ee2f5e43684d0c1080b791223aa100ad194174\"},\"earliestBlock\":{\"number\":\"0\",\"hash\":\"0x0\"}}]}]}}"

Example response from the TS indexer-service in the same environment (expected):

{"data":{"indexingStatuses":[{"subgraph":"QmNmVRCM39PKPXqC9HNFSGW9WQWzDTWUEmpLktAd26vYCQ","chains":[{"network":"hardhat","latestBlock":{"number":"599","hash":"cd3e683d1b9c8829f21b0a0c39a00ec4ec67fdb38756fcf4a275121de177ba9b"},"earliestBlock":{"number":"0","hash":"0x0"}}]},{"subgraph":"QmRR4o5jApp3v7Wcym6o8dXJtBo2chnxDyFyKt12nK6eTE","chains":[{"network":"hardhat","latestBlock":{"number":"2265","hash":"ca89f224b4e310a790266b94608e270b01072e514c2a5ec70f4ddf580837bc64"},"earliestBlock":{"number":"0","hash":"0x0"}}]},{"subgraph":"QmeVg9Da6uyBvjUEy5JqCgw2VKdkTxjPvcYuE5riGpkqw1","chains":[{"network":"hardhat","latestBlock":{"number":"2328","hash":"ed848b1de1913d3f857026bd48f2f5574ae547657c2df3c77e815e3e0333c3ba"},"earliestBlock":{"number":"0","hash":"0x0"}}]},{"subgraph":"QmTcYL6jsUDW2y8QE4zre7jgS26qen7PCURSdymsaVL9cG","chains":[{"network":"hardhat","latestBlock":{"number":"2328","hash":"ed848b1de1913d3f857026bd48f2f5574ae547657c2df3c77e815e3e0333c3ba"},"earliestBlock":{"number":"0","hash":"0x0"}}]}]}}

steps to reproduce

curl http://${host}:${port}/status \
  -H 'content-type: application/json' \
  -d '{"query": "{ indexingStatuses(subgraphs: []) { subgraph chains { network latestBlock { number hash } earliestBlock { number hash } } } }"}'

Deployment health server at subgraphs/health/:deployment to

• query graph node status endpoint for deployment's indexing status
• process graph node's block number results for formatted response

Receipt related operations should be dealt by an Allocation receipt manager. The original flow from indexer typescript should be replaced with TAP manager instead.

Brief functionalities needed

• TAP manager to handle receipts logic
  • derive, cache, and look up attestation signers
    • contracts - connect by network chain id
      • network provider
  • validate receipt format, parse receipt, validate receipt signature
  • store receipt to db
• receipts graphQL schema for storage and queries
• extract graph-attestable from graph node response header
• monitor eligible allocations for client signer
  • network subgraph query for eligibility
  • operator wallet -> indexer address

When an indexer is queried, using some subgraph deployment ID, the response should include it's latest indexing status (block number) for the queried deployment. Especially on fast chains, it is impractical for clients to query the indexing status constantly to track the indexer's status. I propose we add a header to the response like indexing-status: ${block_number}

See graphprotocol/indexer#791

The agent will be tasked with:

• Monitoring outstanding, un-aggregated query fees
• Completing all the receipt checks
• Requesting receipt aggregate vouchers (RAVs) periodically from senders
• Storing the RAVs in DB for the indexer-agent to eventually redeem on-chain.

• unit tests #14
• API tests #15
  • enable sqlx test in CI #44
• Integration tests #16

Escrow subgraph deployment: QmcPoPmisXLzsJXsdU6UUQ8Xot9ucfgaQgXvcnQDi4cUsX, make queries to https://api.studio.thegraph.com/proxy/53925/timeline-aggregation-protocol/v0.0.2/graphql

• use flamegraphs to find a set of optimization targets
• create benchmarks for these optimization targets, and if appropriate use something like cachegrind and cg_diff to measure cpu instructions, off cpu analysis
• Track performance, and if possible diff against performance with typescript implementation

Currently the allocation monitor allows recently closed allocations until the end of the next epoch.
Instead, they should be allowed for a short time after the allocation close itself (match indexer-agent, few minutes?).

Problem statement
TAP Agent will currently tell SenderAllocationRelationships to do their last RAV request when an allocation or a sender become ineligible. The actual RAV request is done asynchronously and therefore the finished SenderAllocationRelationships cannot be removed immediately.

Expectation proposal
There needs to be a process that will check SenderAllocationRelationships that are finished and deletes them. Ideally in a separately spawned async task of some sort.

Additional context

Problem statement
TAP Agent will currently try to send all unaggregated receipts with a RAV request.
The TAP Aggregator will currently not accept more than 10MB of data per request (otherwise would be a DoS vector). It was therefore decided that the TAP Aggregator should be guaranteed to handle a maximum of 15,000 receipts per call.

Expectation proposal
Implement the logic that will only pull up to 15,000 oldest unaggregated receipts per RAV request, as well as continuing to do more RAV requests if there should be more than 15,000 receipts to aggregate.
This will involve changes in https://github.com/semiotic-ai/timeline-aggregation-protocol/tree/main/tap_core.

Additional context
https://github.com/semiotic-ai/timeline-aggregation-protocol/blob/main/tap_aggregator/README.md

Describe the bug

https://github.com/graphprotocol/indexer-rs/blob/main/common/src/allocations/monitor.rs#L68
This query string limits indexer_allocation query to first 1000 active allocations with no pagination. Shown by an instance that there exists indexer with 1000+ active allocations, this function fails to grab all eligible allocations for monitoring.

Expected behavior
Add pagination to the query and ensure all active allocations for an indexer are monitored.

Additional context
Uncovered by the same issue on TS version of indexer-service

Add the paid query flow into subgraph_queries\id\:id to enable profitable data services 🥳.

• QueryProcessor::execute_paid_query (might be a plant first)

inherited from @aasseman hopeyen/indexer-service-rs#20

The goal is to enable the indexer-agent to redeem RAVs if they're found in the database, in addition/instead of (TBD) the legacy query voucher system.

This issue is to be moved to the github.com/graphprotocol/indexer repo when we're ready to work on it.

If indexer provide endpoints for a self-hosted IPFS node, then enable routing at /ipfs with a limited set of APIs

inherited from the issue made by @aasseman hopeyen/indexer-service-rs#16

The license requires headers at the top of each source file.

I propose that we use this format:

// Copyright 2023-, [attribution]
// SPDX-License-Identifier: Apache-2.0

However, I'm not 100% sure about the attribution. Should it be "Hope Yen", "GraphOps", "GraphOps and Semiotic Labs", "The Graph Foundation"? Perhaps it could also be per file, such that files that I creates have "Alexis Asseman", and yours are "Hope Yen"?

And then we can also use CI like here to make sure we don't forget in the future?

I think we could do GraphOps and Semiotic Labs, will assign myself and do similar to the reference CI example

https://www.notion.so/graphops/Repo-Checklist-fbff0e68a84343ed925388fe6c92c705?pvs=4

Problem statement
We are not checking (in indexer-service) that new receipts have a reasonably accurate timestamp (let's say within 5 seconds of our own clock). So as it is right now it is not really safe :/.

Expectation proposal
Check in-band that receipt timestamps are reasonably close to the system clock.

Additional context
#83 (comment)

Problem statement
The TAP Aggregator API is based on JSON-RPC. Thus there are easy bandwidth gains to be had with request compression since JSON is usually highly compressible.

Additional context

          The refactoring of graph-node made sense, though I think Graph node / Query processor shouldn't track the endpoint for network subgraph. Maybe it is worth having a separate network_subgraph client to execute queries with?

Originally posted by @hopeyen in #28 (review)

Problem statement
TAP Agent does not currently check that the receipt values are correct w.r.t the query and Agora model.

Expectation proposal
Computing a query's price w.r.t. an Agora model is fairly easy on principle, as the canonical Agora implementation already is a Rust library: https://github.com/graphprotocol/agora.

However:

• Indexers can change their Agora models at any time.
• Gateways poll the indexer's models at a regular interval (~30sec).
• The indexer is not informed of which model was used for a particular query (would have to guess by testing its most recent model versions).
• There is no standard currently as to how long a gateway is authorized to use an obsolete model.

Additional context

We're currently using IndexerError here and there but not as consequently as in the original indexer-service. Creating an indexer error also doesn't trigger prometheus metrics, which is crucial for indexers to monitor the health of their service.

Task from EPIC: Testing#7

full coverage is the goal but be realistic about priorities

• Validate configs, fail at startup if any provided configuration isn't valid
• types: Subgraph deployment id IpfsHash and bytes representations
• Create graph node instance
• Util functions
  • package_version
  • public_key
• attestation_signer
  routing helpers
• routes::deployment::block_numbers
• routes::basic::operator_info

• Serve cost model requests
• provide cost model GraphQL schema
• build request to query the indexer management server
• process and format response before returning

Task from #7

Integrate with the rest of indexer components and serve for testnet gateway that has simulated query traffic

Task from #7

API tests for

• constant routes
  -[ ] health
  -[ ] version
  -[ ] operator/info
• nested passthroughs
  -[x] graph node query endpoint
  -[x] network subgraph (if not locally syncing the deployment)
  -[x] allocation monitors and signers
  -[ ] cost server
  -[ ] graph node status endpoint

• stream logging for the server
• basic rate limiter (network limiter for network queries, slow limiter for other routes except for subgraph queries)
• performance measurements required to add ratelimiter for subgraph queries

The behavior of monitor_deployment_status is incorrect for the following reasons:

1. The query uses the wrong filter key, resulting in the expected 0 index value potentially being the status for a different deployment. It should be the following:

   query indexingStatuses($ids: [ID!]!) {
       indexingStatuses(subgraphs: $ids) {
           synced
           health
       }
   }

2. The status_url is not the correct URL. On my local-network, it's set to http://172.17.0.1:8000/status instead of http://localhost:8030/graphql, despite the latter being set as --graph-node-status-endpoint.
   

Problem statement

For facilitating payments for Firehose and Substreams data, we will need to extend the functionality of TAP agent as described in this issue. Note: The bold parts in the use case description are what require new TAP agent functionality.

This assumes that indexers will run e.g. a Firehose Indexer Service that consumers will open a connection with in order to exchange TAP receipts and RAVs. This service will need to know when to request an RAV from a consumer and when to stop serving them.

Unlike with gateways that have a public endpoint to send RAV requests to, the only way to get RAVs from consumers is by "talking" to them directly. We therefore envision roughly the following architecture for this:

flowchart TB

  subgraph Indexer
    fis[Firehose Indexer Service]
    f[Firehose]
  end

  subgraph Consumer
    fc[Firehose Client]
    fnc[Firehose Network Client]
  end

  fc -- Firehose requests --> fnc
  fnc -- Data stream --> fc
  fis -- Authorization response, receipt & RAV requests --> fnc
  fnc -- Authorization request, receipts & RAVs --> fis

  fnc -- Firehose requests --> f
  f -- Data stream --> fnc
  f -- Report bytes sent/read --> fis

How does this work in practice?

1. Firehose Client wants to stream some data and makes requests to a local Firehose Network Client.
2. Firehose Network Client picks an indexer to use and opens a payment connection with its Firehose Indexer Service.
3. Firehose Indexer Service decides whether it still owes the consumer some data from a previous receipt.
   1. If yes, it sends an authorization message back that includes a Firehose URL and auth token.
   2. If no, it sends a receipt request back. Once it gets a receipt from the Firehose Network Client, it sends the authorization message.
4. Firehose Network Client opens the data connection and starts streaming data from the indexer's Firehose.
5. Firehose Indexer Service tracks the bytes served to the consumer against the latest receipt it has received.
   1. When it has served the data corresponding to the receipt amount, it requests another receipt.
6. Firehose Indexer Service also
   1. periodically checks how much collateral the consumer has remaining. If this ever goes to zero, it instructs the Firehose to terminate the data connection.
   2. periodically checks whether it needs a RAV from the consumer. When it does, it sends a RAV request to the consumer and waits for a RAV. If it doesn't get one back in a certain time frame, it instructs Firehose to terminate the data connection.

Proposal

We propose that TAP agent serves a gRPC API for Firehose Indexer Services but also Subgraph Indexer Services to connect to. This API could look as follows:

service TAPAgent {
  rpc PayerStatus(PayerStatusRequest) returns (PayerStatusResponse);
}

message PayerStatusRequest {
  bytes payer_address = 1;
}

message PayerStatusResponse {
  bytes payer_address = 1;
  bytes remaining_collateral = 2;
  optional bytes rav_request = 3;
}

Using this, different indexer service implementations can:

1. Decide when to stop serving a consumer (e.g. when their remaining collateral goes to zero).
2. Forward RAV requests to the consumer whenever necessary.

The subgraph indexer service could use this by periodically checking the payer status for all gateways it has interacted with. If a RAV is required for any of them, it could then send that request to their aggregator endpoint. This way, TAP agent would not need to know anything about gateways and their URLs.

The Firehose indexer service could use this by periodically checking the payer status for all consumers that have a payment connection open with the indexer. It can forward RAV requests to them via these payment connections.

Alternative considerations

• The above gRPC API may not be ideal for performance reasons. I (Jannis) am not a gRPC/protobuf expert. Perhaps a stream would be better instead of a request/response pattern? 🤔

Additional context

• It may make sense to also use this gRPC API between the subgraph indexer service and TAP agent. The way that could work is that the subgraph indexer service would be the one to have awareness of what gateways exist and what their RAV endpoints are. It could then periodically poll the TAP agent for whether it needs a RAV from any of the gateways, and take action accordingly. This way, the TAP agent would not have to be aware of gateways at all and the way Firehose indexer service, subgraph indexer service and others obtain RAV requests would be uniform.

Problem statement
Currently TAP Agent ignores payment faults.

Expectation proposal
Faults can be invalid receipts (wrong value, receipt replay, etc), invalid RAVs, or aggregation denial.

For each type of fault, criteria should be determined for deciding when to stop doing business with a problematic sender.

The signal to reject a sender should be communicated promptly to the service instances for it to be effective.

EDIT:
Sender denial move to issue #103

Additional context

My "dream" is to be able to write an indexer service for a new data service with only a few lines of code. Think along the lines of running a single run_indexer_service function to which a few things are passed:

• A function to extract receipts from incoming requests.
• A function to forward incoming requests to the data service backend (e.g. graph-node, SQL database).
• A status API of sorts
• A cost model API of sorts

Would it make sense?
I'm considering this because TAP will also need to watch for new allocations, and having lots of TAP stuff inside of AllocationMonitor may be a little bit of an anti-pattern.
For such a change, I was looking into leveraging tokio::sync::broadcast or tokio::sync::watch, and the other components would just have to subscribe to know when the current set of eligible allocations has changed.

That may be overkill though 🤷

Problem statement
Look into using graphql_client for a strongly typed interface to the GraphQL API (return data)

          I'm not sure how we should use the `TimestampCheck` now that we have a better check when creating the rav. @aasseman do you have a suggestion? Should we remove it? Should we create a stateless timestamp check that verifies if the timestamp is within the range?

Originally posted by @gusinacio in #131 (comment)

Valuable to spike out what is required to provide json-rpc services by indexer-service

rough points:

• add json-rpc/block provider dependencies to support such service
• structure similar to QueryProcesser
• auth-token should be flexibly rolled and communicated without shutting down the service (perhaps scheduled in an agreement contract or triggered by gateway)
• service fee manageable by TAP?

Problem statement
Currently the TAP Agent relies on a user-provided list of sender addresses with corresponding TAP aggregator endpoint URLs. This is a stopgap solution for integration testing.

Expectation proposal
Once the gateway registry contract is implemented (TBD), TAP Agent will be modified to get the TAP aggregator endpoint URLs from there.

Alternative considerations
A clear and concise description of any alternative solutions or features you've considered.

Additional context

For statusSever,

1. extract graphql query from the received request
2. filter the query for supported root fields,

let supported_root_fields = [
"indexingStatuses",
"publicProofsOfIndexing",
"entityChangesInBlock",
"blockData",
"cachedEthereumCalls",
"subgraphFeatures",
"apiVersions",
];

3. send the updated query request to graph_node_status_endpoint
4. return the response from graph node

• register metrics, serve metrics port that can be scrapped by Prometheus
• record queries metrics
• record cost model metrics
• record indexer errors
• Agreeing with comments from @aasseman , we can further improve metrics with

  query duration be discarded if there's an error
  FAILED_QUERIES be incremented at all the points where the functions returns with an error