Arxi Features & Capabilities
You've seen what Arxi enables. This page answers two practical questions: what guarantees are universal, and how Open Source differs from Enterprise.
OSS vs Enterprise
| Decision Driver | Open Source (Apache 2.0) | Enterprise (Self-Hosted) |
|---|---|---|
| Recording engine (envelopes, chains, segments, bundles) | ✓ | ✓ |
| Storage backends | SQLite, in-memory | + Distributed storage, fleet replication |
| Verification | 7-phase offline bundle verification | + Continuous verification, fleet-wide audits |
| Signing | Ed25519 optional envelope signing | + Trust root management, automated key rotation |
| CLI | Full CLI with JSON output, i18n (en, ca) | + Admin tooling, fleet CLI |
| Integration | EvidenceProvider trait, RecorderAdapter trait | + Sidecar mode, remote service, ingestion API |
| Tenancy | Single-tenant | + Multi-tenant authn/authz, fleet governance |
| Support | Community (GitHub) | Integration guidance |
Guarantees
- Append-only integrity: envelopes cannot be modified or deleted once recorded
- Deterministic hashing: same inputs produce identical hashes (JCS canonical encoding, RFC 8785)
- Fail-closed validation: missing or invalid data halts recording at the boundary
- Tamper-evident chains: any alteration to an envelope breaks the hash chain
- Content-addressed attachments: attachments stored by SHA-256 content hash
Included
- Append-only envelope recording with cryptographic hash chain integrity
- Segment lifecycle management (open, seal, auto-seal policies)
- Bundle builder with selector algebra (segment, trace, time, IDs, filter, composite)
- 7-phase offline bundle verification (manifest, attachments, content, chain, cross-segment, signatures, verdict)
- Ed25519 signature verification infrastructure
- Full CLI with JSON output mode and i18n
Enterprise Adds
- Distributed storage and fleet replication
- Multi-tenant authentication and access control
- Sidecar and remote service deployment modes
- Automated key rotation and trust root management
- Fleet-wide governance and ingestion APIs
- Admin tooling and operational dashboards
Boundaries
- Does not make decisions: Arxi records evidence; decision systems like Decision Gate evaluate it
- Does not execute tools: Arxi captures boundary events; tools run elsewhere
- Does not enforce policy: use Decision Gate for policy gates and requirement evaluation
- Does not provide managed hosting: self-hosted by default; managed cloud deferred
- Does not infer meaning: authors define event types, actors, and correlation explicitly
Deep Dives
- Arxi CLI — Recording, querying, bundle operations
- Evidence Envelope Model — Full envelope specification and fields
- Bundle Verification — 7-phase verification pipeline details
- Integration with Decision Gate — Evidence bundles feeding policy gates
Learn More
- Examples — Workflows that use these guarantees
- Full Documentation — Specs, math, tooling, and reference