Feature/validate_output_structure (#1284)

alexcos20 · web-flow · commit da91f1b284cf · 2026-03-24T11:01:52.000+02:00
* validate output on initialize and startCompute

* update docs

* validate storage
diff --git a/docs/API.md b/docs/API.md
@@ -1463,6 +1463,7 @@ starts a free compute job and returns jobId if succesfull
 | additionalViewers           | object |          | optional array of addresses that are allowed to fetch the result                                                                                                            |
 | queueMaxWaitTime            | number |          | optional max time in seconds a job can wait in the queue before being started                                                                                               |
 | encryptedDockerRegistryAuth | string |          | Ecies encrypted docker auth schema for image (see [Private Docker Registries with Per-Job Authentication](../env.md#private-docker-registries-with-per-job-authentication)) |
+| output                      | string |          | Ecies encrypted with instructions for uploading compute results (see [C2D result upload to remote storage](../Storage.md#c2d-result-upload-to-remote-storage))              |
 
 #### Request
 
diff --git a/docs/Storage.md b/docs/Storage.md
@@ -4,13 +4,13 @@ Ocean Node supports five storage backends for assets (e.g. algorithm or data fil
 
 ## Supported types
 
-| Type       | `type` value | Description                          |
-| ---------- | ------------- | ------------------------------------ |
-| **URL**    | `url`         | File served via HTTP/HTTPS           |
-| **IPFS**   | `ipfs`        | File identified by IPFS CID          |
-| **Arweave**| `arweave`     | File identified by Arweave transaction ID |
-| **S3**     | `s3`          | File in S3-compatible storage (AWS, Ceph, MinIO, etc.) |
-| **FTP**    | `ftp`         | File served via FTP or FTPS          |
+| Type        | `type` value | Description                                            |
+| ----------- | ------------ | ------------------------------------------------------ |
+| **URL**     | `url`        | File served via HTTP/HTTPS                             |
+| **IPFS**    | `ipfs`       | File identified by IPFS CID                            |
+| **Arweave** | `arweave`    | File identified by Arweave transaction ID              |
+| **S3**      | `s3`         | File in S3-compatible storage (AWS, Ceph, MinIO, etc.) |
+| **FTP**     | `ftp`        | File served via FTP or FTPS                            |
 
 All file objects can optionally include encryption metadata: `encryptedBy` and `encryptMethod` (e.g. `AES`, `ECIES`).
 
@@ -31,12 +31,12 @@ Files are fetched from a given URL using HTTP GET or POST.
 }
 ```
 
-| Field     | Required | Description                                      |
-| --------- | -------- | ------------------------------------------------ |
-| `type`    | Yes      | Must be `"url"`                                  |
-| `url`     | Yes      | Full HTTP/HTTPS URL to the file                  |
-| `method`  | Yes      | `"get"` or `"post"`                              |
-| `headers` | No       | Optional request headers (key-value object)      |
+| Field     | Required | Description                                 |
+| --------- | -------- | ------------------------------------------- |
+| `type`    | Yes      | Must be `"url"`                             |
+| `url`     | Yes      | Full HTTP/HTTPS URL to the file             |
+| `method`  | Yes      | `"get"` or `"post"`                         |
+| `headers` | No       | Optional request headers (key-value object) |
 
 ### Validation
 
@@ -64,10 +64,10 @@ Files are resolved via an IPFS gateway using a content identifier (CID).
 }
 ```
 
-| Field  | Required | Description                    |
-| ------ | -------- | ------------------------------ |
-| `type` | Yes      | Must be `"ipfs"`               |
-| `hash` | Yes      | IPFS content identifier (CID)  |
+| Field  | Required | Description                   |
+| ------ | -------- | ----------------------------- |
+| `type` | Yes      | Must be `"ipfs"`              |
+| `hash` | Yes      | IPFS content identifier (CID) |
 
 The node builds the download URL as: `{ipfsGateway}/ipfs/{hash}` (e.g. `https://ipfs.io/ipfs/QmXoy...`).
 
@@ -96,10 +96,10 @@ Files are identified by an Arweave transaction ID and fetched via an Arweave gat
 }
 ```
 
-| Field           | Required | Description                |
-| --------------- | -------- | -------------------------- |
-| `type`          | Yes      | Must be `"arweave"`        |
-| `transactionId` | Yes      | Arweave transaction ID     |
+| Field           | Required | Description            |
+| --------------- | -------- | ---------------------- |
+| `type`          | Yes      | Must be `"arweave"`    |
+| `transactionId` | Yes      | Arweave transaction ID |
 
 The node builds the download URL as: `{arweaveGateway}/{transactionId}`.
 
@@ -135,21 +135,21 @@ Files are stored in S3-compatible object storage. The node uses the AWS SDK and
 }
 ```
 
-| Field     | Required | Description |
-| --------- | -------- | ----------- |
-| `type`    | Yes      | Must be `"s3"` |
-| `s3Access` | Yes    | Object with endpoint, bucket, object key, and credentials (see below). |
+| Field      | Required | Description                                                            |
+| ---------- | -------- | ---------------------------------------------------------------------- |
+| `type`     | Yes      | Must be `"s3"`                                                         |
+| `s3Access` | Yes      | Object with endpoint, bucket, object key, and credentials (see below). |
 
 **`s3Access` fields:**
 
-| Field             | Required | Description |
-| ----------------- | -------- | ----------- |
-| `endpoint`        | Yes      | S3 endpoint URL (e.g. `https://s3.amazonaws.com`, `https://nyc3.digitaloceanspaces.com`, or `https://my-ceph.example.com`) |
-| `bucket`          | Yes      | Bucket name |
-| `objectKey`       | Yes      | Object key (path within the bucket) |
-| `accessKeyId`     | Yes      | Access key for the S3-compatible API |
-| `secretAccessKey` | Yes      | Secret key for the S3-compatible API |
-| `region`          | No       | Region (e.g. `us-east-1`). Optional; defaults to `us-east-1` if omitted. Some backends (e.g. Ceph) may ignore it. |
+| Field             | Required | Description                                                                                                                                                                                                      |
+| ----------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `endpoint`        | Yes      | S3 endpoint URL (e.g. `https://s3.amazonaws.com`, `https://nyc3.digitaloceanspaces.com`, or `https://my-ceph.example.com`)                                                                                       |
+| `bucket`          | Yes      | Bucket name                                                                                                                                                                                                      |
+| `objectKey`       | Yes      | Object key (path within the bucket)                                                                                                                                                                              |
+| `accessKeyId`     | Yes      | Access key for the S3-compatible API                                                                                                                                                                             |
+| `secretAccessKey` | Yes      | Secret key for the S3-compatible API                                                                                                                                                                             |
+| `region`          | No       | Region (e.g. `us-east-1`). Optional; defaults to `us-east-1` if omitted. Some backends (e.g. Ceph) may ignore it.                                                                                                |
 | `forcePathStyle`  | No       | If `true`, use path-style addressing (e.g. `endpoint/bucket/key`). Required for some S3-compatible services (e.g. MinIO). Default `false` (virtual-host style, e.g. `bucket.endpoint/key`, standard for AWS S3). |
 
 ### Validation
@@ -186,9 +186,9 @@ For FTPS (TLS):
 }
 ```
 
-| Field  | Required | Description |
-| ------ | -------- | ----------- |
-| `type` | Yes      | Must be `"ftp"` |
+| Field  | Required | Description                                                                                                                                                          |
+| ------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `type` | Yes      | Must be `"ftp"`                                                                                                                                                      |
 | `url`  | Yes      | Full FTP or FTPS URL. Supports `ftp://` and `ftps://`. May include credentials as `ftp://user:password@host:port/path`. Default port is 21 for FTP and 990 for FTPS. |
 
 ### Validation
@@ -207,6 +207,113 @@ FTPStorage supports `upload(filename, stream)`. If the file object’s `url` end
 
 ---
 
+## C2D result upload to remote storage
+
+Compute-to-Data jobs can upload their output archive to a remote backend instead of keeping it only on local node disk.
+
+### How it works
+
+1. You build a `ComputeOutput` JSON object with:
+   - `remoteStorage`: one of the storage objects from this document (`url`, `s3`, `ftp`, etc.)
+   - optional `encryption`: currently only `AES` is accepted, with a hex key
+2. You ECIES-encrypt that JSON into a string and send it in the compute command as `output`.
+3. When the job finishes:
+   - if `output` is present and remote storage supports upload, Ocean Node uploads the tar archive remotely
+   - otherwise, Ocean Node falls back to local `outputs.tar` behavior
+
+### `ComputeOutput` shape
+
+```json
+{
+  "remoteStorage": {
+    "type": "s3",
+    "s3Access": {
+      "endpoint": "https://s3.amazonaws.com",
+      "region": "us-east-1",
+      "bucket": "my-c2d-results",
+      "objectKey": "jobs/result.tar",
+      "accessKeyId": "AKIA...",
+      "secretAccessKey": "..."
+    }
+  },
+  "encryption": {
+    "encryptMethod": "AES",
+    "key": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+  }
+}
+```
+
+Notes:
+
+- `output` itself is **not plain JSON** in the compute request; it must be an ECIES-encrypted string.
+- `encryption.key` must be at least 32 bytes (64 hex chars).
+- `encryption.encryptMethod` must be `AES` if provided.
+
+### End-to-end example
+
+#### 1) Create plaintext output instructions
+
+```json
+{
+  "remoteStorage": {
+    "type": "ftp",
+    "url": "ftp://user:password@ftp.example.com:21/results/"
+  },
+  "encryption": {
+    "encryptMethod": "AES",
+    "key": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+  }
+}
+```
+
+#### 2) Encrypt the JSON
+
+You can use `POST /api/services/encrypt` to encrypt the JSON string for Ocean Node:
+
+```bash
+curl -X POST "https://<node>/api/services/encrypt?consumerAddress=<0xAddress>&nonce=<nonce>&signature=<signature>" \
+  -H "Content-Type: text/plain" \
+  --data-raw '{"remoteStorage":{"type":"ftp","url":"ftp://user:password@ftp.example.com:21/results/"},"encryption":{"encryptMethod":"AES","key":"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"}}'
+```
+
+The response is the encrypted blob (hex string).  
+If your encrypt response includes `0x` prefix, remove it before sending as compute `output` (compute handlers decode `output` as raw hex bytes).
+
+#### 3) Send compute command with `output`
+
+Example for `freeStartCompute`:
+
+```json
+{
+  "command": "freeStartCompute",
+  "consumerAddress": "0x...",
+  "signature": "0x...",
+  "nonce": "123",
+  "environment": "<env-id>",
+  "datasets": [],
+  "algorithm": {
+    "meta": {
+      "rawcode": "print('hello')",
+      "container": {
+        "image": "python",
+        "tag": "3.10",
+        "entrypoint": "python",
+        "checksum": "..."
+      }
+    }
+  },
+  "output": "<ecies-encrypted-output-string>"
+}
+```
+
+### Uploaded filename and fallback behavior
+
+- For remote upload, Ocean Node writes: `outputs-<clusterHash>-<jobId>.tar`
+- If `output` is missing/empty, or chosen storage does not support upload, Ocean Node stores output locally (`outputs.tar`) as before.
+- If remote upload fails, job status is set to `ResultsUploadFailed`.
+
+---
+
 ## Summary
 
 - **URL**: flexible HTTP(S) endpoints; optional custom headers and `unsafeURLs` filtering.
diff --git a/src/@types/commands.ts b/src/@types/commands.ts
@@ -220,6 +220,7 @@ export interface ComputeInitializeCommand extends Command {
   policyServer?: any // object to pass to policy server
   queueMaxWaitTime?: number // max time in seconds a job can wait in the queue before being started
   encryptedDockerRegistryAuth?: string
+  output?: string // this is always an ECIES encrypted string, that decodes to ComputeOutput interface
 }
 
 export interface FreeComputeStartCommand extends Command {
diff --git a/src/components/core/compute/initialize.ts b/src/components/core/compute/initialize.ts
@@ -33,7 +33,12 @@ import { getAlgorithmImage } from '../../c2d/compute_engine_docker.js'
 import { Credentials, DDOManager } from '@oceanprotocol/ddo-js'
 import { checkCredentials } from '../../../utils/credentials.js'
 import { PolicyServer } from '../../policyServer/index.js'
-import { generateUniqueID, getAlgoChecksums, validateAlgoForDataset } from './utils.js'
+import {
+  generateUniqueID,
+  getAlgoChecksums,
+  validateAlgoForDataset,
+  validateOutput
+} from './utils.js'
 
 export class ComputeInitializeHandler extends CommandHandler {
   validate(command: ComputeInitializeCommand): ValidateParams {
@@ -207,7 +212,14 @@ export class ComputeInitializeHandler extends CommandHandler {
           )
         }
       }
-
+      const isValidOutput = await validateOutput(
+        node,
+        task.output,
+        await getConfiguration()
+      )
+      if (isValidOutput.status.httpStatus !== 200) {
+        return isValidOutput
+      }
       // check algo
       let index = 0
       const policyServer = new PolicyServer()
diff --git a/src/components/core/compute/startCompute.ts b/src/components/core/compute/startCompute.ts
diff --git a/src/components/core/compute/utils.ts b/src/components/core/compute/utils.ts

Original file line number	Diff line number	Diff line change
`@@ -220,6 +220,7 @@ export interface ComputeInitializeCommand extends Command {`
`220`	`220`	`policyServer?: any // object to pass to policy server`
`221`	`221`	`queueMaxWaitTime?: number // max time in seconds a job can wait in the queue before being started`
`222`	`222`	`encryptedDockerRegistryAuth?: string`
	`223`	`+ output?: string // this is always an ECIES encrypted string, that decodes to ComputeOutput interface`
`223`	`224`	`}`
`224`	`225`
`225`	`226`	`export interface FreeComputeStartCommand extends Command {`