Arquitectura del Sistema de Gravació

Audience: Engineers working across Recorder crates or integrating Recorder with sistemes de control-plane com Decision Gate.

Taula de continguts

Visió Executiva
Arquitectura en Capes
Flux de dades de principi a fi
Límits de confiança i postura de seguretat
Model de Determinisme
Abast d’implementació actual
File per Fitxer Referència Creuada

Executive Overview

Recorder és un pla de dades per a l’enregistrament d’evidències deterministes. Captura esdeveniments no segellats als límits dels adaptadors, els segella en sobres en cadena de hash, els persisteix en històries de segments només d’append, i exporta paquets portàtils per a la verificació fora de línia.

El sistema està organitzat com un espai de treball Rust amb límits estrictes de crate: contractes bàsics, model d’envolupament, orquestració de gravadors, backend d’emmagatzematge, una façana SDK ergonòmica de Rust, un SDK de sidecar de Python generat per la primera part, semàntica de configuració de sidecar canònica, operacions CLI i un servei HTTP de sidecar en temps d’execució. F:Cargo.toml L9-L26

Arquitectura en capes

Core contracts (recorder-core)
- Identity newtypes, hash/signature abstractions, filters, schema versioning, and boundary error algebras. F:crates/recorder-core/src/lib.rs L53-L109
Evidence model (recorder-envelope)
- Envelope/segment/bundle types, canonical encoding functions, adapter and provider contracts, and verification result algebra. F:crates/recorder-envelope/src/lib.rs L53-L111
Integration adapters (recorder-decision-gate-adapter, recorder-otel-adapter)
- First-party deterministic adapters implementing:
  - Decision Gate MCP/runpack transcript mapping, redaction/bounds policy, i executar comprovacions d’integritat de descompressió.
  - OpenTelemetry JSON export mapping (spans + logs) with deterministic IDs/event types and strict-fail parse policy. F:crates/recorder-decision-gate-adapter/src/lib.rs L1-L40 F:crates/recorder-otel-adapter/src/lib.rs
Recording runtime (recorder)
- RecorderEngine, BundleBuilder, Verifier, local adapter, and provider implementation. F:crates/recorder/src/lib.rs L34-L56
Persistence (recorder-store)
- Store traits with SQLite and in-memory implementations. F:crates/recorder-store/src/lib.rs L49-L71
Sidecar config authority (recorder-sidecar-config)
- Canonical sidecar config model, fail-closed runtime validation, and deterministic config projection helpers consumed by recorder-contract. F:crates/recorder-sidecar-config/src/lib.rs
Rust SDK facade (recorder-sdk)
- Single-crate Rust consumer surface composing recorder, local adapter, provider, verifier, and store handles via deterministic builder defaults. F:crates/recorder-sdk/src/lib.rs F:crates/recorder-sdk/src/builder.rs
Generated sidecar SDK (recorder-client for Python)
- Contract-driven sync/async HTTP client generated from Docs/generated/recorder/sdk/{types,methods}.json with strict typed request/response validation, retry-safe idempotency behavior, and fail-closed error mapping. F:sdk/python/scripts/generate_contract.py F:sdk/python/src/recorder_client/client.py F:sdk/python/src/recorder_client/sync_client.py F:sdk/python/src/recorder_client/async_client.py
Operational surface (recorder-cli)
- CLI command groups for segment lifecycle, recording, query, bundle, config validation, diagnostics, attachment-aware ingest, Decision Gate fixture ingest, and OTel fixture ingest, with handlers split into command and support helper modules. F:crates/recorder-cli/src/main.rs L137-L272 F:crates/recorder-cli/src/commands.rs L19-L29 F:crates/recorder-cli/src/support.rs L19-L23
Superfície del servei de xarxa (recorder-sidecar)

Sidecar HTTP/JSON runtime with auth/bounds middleware and a single-writer ingest runtime over Unix/TCP listeners, including explicit liveness/startup/readiness probes, enterprise-aware readiness modes, stream-scoped deterministic query semantics, and compatibility ingest route POST /v1/ingest/otel. F:crates/recorder-sidecar/src/lib.rs L1-L41 F:crates/recorder-sidecar/src/server.rs L42-L247

Generació de contractes de projecció (recorder-contract)

Deterministic artifact generation/check (Docs/generated/recorder/**) and manifest hash authority (index.json). F:crates/recorder-contract/src/lib.rs

Flux de dades de principi a fi

Adapter / CLI input
    -> Sidecar mutating route validation (tenant_id + recorder_id + idempotency key)
    -> IngestGateway bounded queue admission
    -> IngestWriterRuntime writer-native sealing + single-tx micro-batch commit
    -> Stream/global commit index assignment + idempotency + projection update
    -> BundleBuilder resolves selector + attachment closure + manifest
    -> Verifier runs 7 phases offline
    -> EvidenceProvider serves bundles/envelope queries to control-plane bridge

Punts d’entrada clau del flux:

Ingest path: IngestGateway::submit_envelope -> IngestWriterRuntime::process_batch F:crates/recorder-sidecar/src/ingest.rs
Writer-native sealing/commit path (sidecar hot path no longer calls RecorderEngine::record_envelope for mutating HTTP ingest) F:crates/recorder-sidecar/src/ingest.rs
Bundle export path: BundleBuilder::build F:crates/recorder/src/bundle_builder.rs L129-L172
Offline verification path: Verifier::verify F:crates/recorder/src/verifier.rs L95-L136

Límits de confiança i postura de seguretat

Adapter inputs are treated as untrusted and validated fail-closed before recorder append. F:crates/recorder/src/validation.rs L46-L83
recorder-sdk preserves the same fail-closed adapter/provider boundaries by composing existing LocalRecorderAdapter and RecorderEvidenceProvider implementations rather than redefining validation or policy behavior. F:crates/recorder-sdk/src/builder.rs
recorder-client (Python) treats sidecar responses as untrusted, validates them against generated contract projections, fails closed on unknown error codes or schema drift, and preserves idempotency keys across retries for mutating operations. F:sdk/python/src/recorder_client/client.py F:sdk/python/src/recorder_client/client_common.py F:sdk/python/src/recorder_client/sync_client.py F:sdk/python/src/recorder_client/async_client.py F:sdk/python/src/recorder_client/errors.py
Core identity constructors fail closed on blank/control-character strings, and KeyId enforces canonical lowercase SHA-256 hex shape. String-backed identity types now also enforce explicit max-length policies and constructor-validated serde deserialization. F:crates/recorder-core/src/identity.rs L31-L55 F:crates/recorder-core/src/identity.rs L37-L47 F:crates/recorder-core/src/identity.rs L516-L647
Envelope-layer attachment and segment constructors reject empty/blank/control text inputs for content_type and recorder_id, enforce max-length bounds, and validate serde deserialize boundaries through constructors. F:crates/recorder-envelope/src/attachment.rs L35-L44 F:crates/recorder-envelope/src/attachment.rs L79-L96 F:crates/recorder-envelope/src/segment.rs L42-L56 F:crates/recorder-envelope/src/segment.rs L91-L118
Store append enforces chain continuity and rejects writes to sealed segments. F:crates/recorder-store/src/traits.rs L47-L66
Verifier and provider library boundaries enforce bounded-work fail-closed policies to protect embedding wrappers from unbounded in-memory workloads. F:crates/recorder/src/verifier.rs L73-L246 F:crates/recorder/src/evidence_provider.rs L52-L300
SQLite dispatch now uses bounded queue admission and deterministic saturation rejection rather than unbounded operation buffering. F:crates/recorder-store/src/sqlite/connection.rs L42-L136
Sidecar HTTP boundary enforces request identity, optional bearer-token auth with constant-time compare, protocol/header/body bounds, bounded queue and active concurrency gates, timeout fail-closed behavior, required tenant/recorder mutating request identity checks, and persistent stream-scoped idempotency replay/conflict controls in the single-writer ingest path. Probe routes (/health, /startup, /ready) are explicitly exempt from those request gates so orchestration liveness/startup/readiness signals remain observable under stress. F:crates/recorder-sidecar/src/middleware/request_id.rs L15-L30 F:crates/recorder-sidecar/src/middleware/auth.rs L21-L84 F:crates/recorder-sidecar/src/middleware/bounds.rs L21-L172 F:crates/recorder-sidecar/src/ingest.rs
Sidecar container packaging is first-party in-repo and keeps the same fail-closed config + token-hardening model under distroless nonroot runtime with explicit UID/GID mapping plus secret-source-to-tmpfs token bootstrap before sidecar startup. F:docker/sidecar/Dockerfile F:docker/sidecar/docker-compose.yml F:docker/sidecar/config/sidecar.toml F:crates/recorder-sidecar/src/bin/docker_bootstrap.rs
Hash equality uses constant-time comparison in core, verifier, and stores. F:crates/recorder-core/src/hash.rs L102-L174 F:crates/recorder/src/verifier.rs L29-L52 F:crates/recorder-store/src/sqlite/envelope_ops.rs L62-L79

Model de Determinisme

El determinisme s’aconsegueix combinant:

codificació JCS canònica per a dades hashables,
estructures d’ordenació deterministes (BTreeMap, vectors ordenats),
lògica de hash estable i de selector,
verificació offline reproduïble.

F:crates/recorder-envelope/src/encoding.rs L13-L31 F:crates/recorder/src/bundle_builder.rs L27-L30 F:crates/recorder/src/bundle_builder.rs L466-L477

Abast de la Implementació Actual

Implementat ara:

Cicle de gravació local complet i verificació de paquets.
SQLite/emmagatzematge en memòria.
recorder-sdk single-crate facade for Rust consumers, including deterministic valors per defecte del constructor i accessors d’adaptador/proveïdor/emmagatzematge directes.
recorder-client Python SDK with generated contract constants, typed sync/async clients de sidecar, i proves d’unitat/sistema.
Operacions impulsades per CLI i sortida localitzada.
CLI attachment-aware recording (record-with-attachments) with bounded file Gravació conscient d’adjuncions de CLI (record-with-attachments) amb fitxers limitats i entrades d’adjuncions en línia.
CLI Decision Gate fixture ingest command path wired to production adapter Ruta de comandament d’ingestió del dispositiu de Decision Gate del CLI connectada a la implementació de l’adaptador de producció.
CLI OTel fixture ingest command path wired to production adapter implementació.
System-test harness with registry-driven coverage, including OpenClaw gateway/CLI mock-flow and Decision Gate runpack-flow adapter-ingest proves d’integració.
CLI expansion system-tests for recorder-id shape validation parity, attachment-recording fail-closed boundaries, auto-seal duration/combined lifecycle behavior, query JSON pagination/limit guardrails, and Decision Gate CLI ingest-fixture èxit/fallida estricta rutes.
Production Decision Gate adapter crate (crates/recorder-decision-gate-adapter) with deterministic MCP/runpack mapping, runpack-integrity strict/anomaly policy handling, and transcript controls de redacció/límits.
Production OTel adapter crate (crates/recorder-otel-adapter) with deterministic span/log mapping, strict identifier/time parsing, and bounded/redacted controls de càrrega.
OpenClaw integration harness mapping policy with deterministic sensitive-field Política de mapeig de l’integració d’OpenClaw amb redacció de camps sensibles determinista i gestió de càrregues limitades per a proves de connexió basades en fixtures.
Decision Gate integration system-tests wired to the production adapter crate, covering signed/unsigned lanes, root-hash and manifest-integrity mismatch Sistema d’integració de Decision Gate amb proves de sistema connectades a la caixa d’adaptador de producció, cobrint comportaments de fallada tancada per discrepàncies en les pistes signades/no signades, el hash arrel i la integritat del manifest, així com la reproducció/hash determinista i l’estabilitat.
Sidecar Docker operator profile (docker/sidecar) and system-test coverage for Dockerfile/Compose hardening plus containerized probe/record/query flux.
Sidecar readiness semantics now support fail-closed dependency modes: La semàntica de preparació del Sidecar ara admet modes de dependència que fallen tancats: preparació només d’emmagatzematge i preparació d’emmagatzematge + control empresarial.

Postura actual de rendiment/estrès:

P2 stress/performance system-test expansion is now implemented with deterministic artifact-first lanes: performance::stress_concurrent_append_query_sqlite, performance::performance_bundle_materialization_smoke, and sidecar_perf::sidecar_perf_smoke_generates_gate_report (regression lane), plus sidecar_capacity::sidecar_capacity_sweep_generates_report (carril de capacitat).
CI now runs a profile matrix (test informational + release gated) on the pinned perf runner via scripts/ci/perf_matrix.py and enforces release thresholds/regression policy via scripts/ci/perf_gate.py and system-tests/perf_baselines/linux_x86_64_ci.json.
Sidecar ingest 10k target is defined only on the capacity lane metric max_sustainable_rps and is enforced only for pinned runner policy class (linux_x86_64_pinned); the regression lane remains a deterministic fixed senyal anti-regressió de càrrega de treball.
Sidecar perf throughput/latency lanes now run against persistent keep-alive HTTP client pools to avoid connection-churn distortion in write-path mesures.
Bundle-path metric bundle_build_envelopes_per_sec remains a separate core mètrica de materialització de paquet i no és un proxy de capacitat d’ingesta.

Elements de reforç a nivell de sistema recentment tancats:

Provider listing/fetch now uses stable bundle IDs and fetch-by-ID segment selectors. F:crates/recorder/src/evidence_provider.rs L125-L229
Recorder verifier/provider now enforce explicit bounded-work policy and reject oversized workloads fail-closed at library boundaries. F:crates/recorder/src/verifier.rs L73-L246 F:crates/recorder/src/evidence_provider.rs L52-L300
SQLite operation dispatch now applies bounded queue backpressure with deterministic saturation failure behavior. F:crates/recorder-store/src/sqlite/connection.rs L42-L203
Contract generation now overlays inferred schemas with authoritative runtime constraints and fail-closes on missing constraint pointer targets. F:crates/recorder-contract/src/lib.rs L565-L742
Sidecar contract-generation/projection integration is now implemented with generated API artifacts (openapi/errors/enums/examples/compat) and fail-closed contract gates in CI orchestration under current semàntica de la política de pre-llançament per a /v1.
Sidecar compatibility surface now includes OTel ingest route (POST /v1/ingest/otel) with generated contract baseline and strict media-type gate alignment from shared policy source. F:crates/recorder-contract/src/lib.rs F:scripts/ci/sidecar_contract_gates.py F:scripts/ci/generate_all.sh
Verifier phase 6 now executes trust-root signature checks with policy evaluation (skip warning only when no trust root is provided). F:crates/recorder/src/verifier.rs L509-L651
Startup read-back verification now executes from RecorderEngine::new when startup_verification_depth > 0. F:crates/recorder/src/engine.rs L154-L197 F:crates/recorder/src/engine.rs L380-L543

File per Fitxer Referència Creuada

Àrea	Fitxer	Notes
Límits de l’espai de treball	`Cargo.toml`	Membresia del crate i postura de lint.
Contractes bàsics	`crates/recorder-core/src/lib.rs`	Primitives i traits de domini compartit.
Model d’envelopa	`crates/recorder-envelope/src/lib.rs`	Model de dades d’evidència i contractes.
Temps d’execució del gravador	`crates/recorder/src/engine.rs`	Ingesta, progressió de la cadena, cicle de vida del segment.
Façana del SDK de Rust	`crates/recorder-sdk/src/lib.rs`, `crates/recorder-sdk/src/builder.rs`	Constructor ergonòmic i façana unificada de gravador/proveïdor per a consumidors de Rust.
Façana del SDK de Python	`sdk/python/src/recorder_client/client.py`, `sdk/python/src/recorder_client/client_common.py`, `sdk/python/src/recorder_client/sync_client.py`, `sdk/python/src/recorder_client/async_client.py`, `sdk/python/src/recorder_client/models.py`, `sdk/python/src/recorder_client/errors.py`	Superfície de client sidecar síncron/asincrònica basada en contractes generats amb validació estricta de fallada tancada i mapeig d’errors tipats.
Paquet + verificador	`crates/recorder/src/bundle_builder.rs`	Resolució de selectors i materialització de paquets.
Verificació de paquets	`crates/recorder/src/verifier.rs`	Verificació fora de línia en 7 fases.
Traits d’emmagatzematge	`crates/recorder-store/src/traits.rs`	Invariants del contracte de persistència.
Límits de la cua de SQLite	`crates/recorder-store/src/sqlite/connection.rs`	Comportament de dispatch async-a-sync limitat i fallada tancada per saturació.
Superfície CLI	`crates/recorder-cli/src/main.rs`, `crates/recorder-cli/src/commands.rs`, `crates/recorder-cli/src/support.rs`	Arquitectura de comandes operatives dividida entre dispatch, gestors de comandes i helpers d’execució/utilitat.
Servei sidecar	`crates/recorder-sidecar/src/lib.rs`, `crates/recorder-sidecar/src/server.rs`	Temps d’execució HTTP, pila de middleware i cicle de vida del transport.
Configuració/seguretat del sidecar	`crates/recorder-sidecar-config/src/config.rs`, `crates/recorder-sidecar-config/src/validation.rs`, `crates/recorder-sidecar/src/middleware/auth.rs`, `crates/recorder-sidecar/src/middleware/bounds.rs`, `crates/recorder-sidecar/src/ingest.rs`	Validació de configuració de fallada tancada i autoritat de projecció més controls d’autenticació/límits del sidecar i comportament d’idempotència d’ingesta d’escriptura única.
Embalatge del contenidor sidecar	`docker/sidecar/Dockerfile`, `docker/sidecar/docker-compose.yml`, `docker/sidecar/config/sidecar.toml`, `crates/recorder-sidecar/src/bin/docker_bootstrap.rs`	Perfil de construcció/execució de contenidor de primera part alineat amb invariants de validació/seguretat del sidecar, incloent el bootstrap de token de font secreta en la ruta d’execució tmpfs endurida.
Generador de contractes	`crates/recorder-contract/src/lib.rs`, `crates/recorder-contract/src/sidecar_api.rs`, `crates/recorder-contract/src/sidecar_api/openapi.rs`, `crates/recorder-contract/src/sidecar_api/artifacts.rs`, `crates/recorder-contract/src/sidecar_api/specs/mod.rs`	Autoritat d’artifacte generat determinista + verificacions de deriva.
Proves de sistema	`system-tests/README.md`	Contracte de validació de principi a fi.
Adaptador de Decision Gate	`crates/recorder-decision-gate-adapter/src/adapter.rs`	Implementació de política de mapeig/redacció/integritat de producció per a la ingesta de Decision Gate.
Adaptador OTel	`crates/recorder-otel-adapter/src/adapter.rs`	Implementació de política de mapeig/redacció/límits de producció per a la ingesta de JSON OTel.
Proves d’integració OpenClaw	`system-tests/tests/suites/integration_openclaw.rs`	Verificació d’ingesta d’adaptador basada en fixtures per al acoblament de fluxos de treball externs.
Arquitectura d’integració OpenClaw	Docs/architecture/recorder_openclaw_integration_architecture.md	Contracte de política de mapeig i redacció/càrrega limitada versionada.
Proves d’integració de Decision Gate	`system-tests/tests/suites/integration_decision_gate.rs`	Verificació d’ingesta de flux MCP basada en fixtures per al acoblament del pla de control.
Arquitectura d’integració de Decision Gate	Docs/architecture/recorder_decision_gate_integration_architecture.md	Contracte de mapeig de flux MCP versionat, política d’integritat de runpack i redacció/límits de transcripció.
Arquitectura d’integració OTel	Docs/architecture/recorder_otel_integration_architecture.md	Contracte de mapeig de JSON OTel versionat, IDs/event types deterministes, i cablejat d’ingesta de sidecar/CLI.